{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-47274", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-05T16:53:10.372Z", "datePublished": "2025-05-12T14:57:46.781Z", "dateUpdated": "2025-05-12T22:06:42.029Z"}, "containers": {"cna": {"title": "ToolHive stores secrets in the state store with no encryption", "problemTypes": [{"descriptions": [{"cweId": "CWE-311", "lang": "en", "description": "CWE-311: Missing Encryption of Sensitive Data", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/stacklok/toolhive/security/advisories/GHSA-xj5p-w2v5-fjm6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/stacklok/toolhive/security/advisories/GHSA-xj5p-w2v5-fjm6"}, {"name": "https://github.com/stacklok/toolhive/commit/e8efa1b1d7b0776a39339257d30bf6c4a171f2b8", "tags": ["x_refsource_MISC"], "url": "https://github.com/stacklok/toolhive/commit/e8efa1b1d7b0776a39339257d30bf6c4a171f2b8"}, {"name": "https://github.com/stacklok/toolhive/releases/tag/v0.0.33", "tags": ["x_refsource_MISC"], "url": "https://github.com/stacklok/toolhive/releases/tag/v0.0.33"}], "affected": [{"vendor": "stacklok", "product": "toolhive", "versions": [{"version": "< 0.0.33", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-12T14:57:46.781Z"}, "descriptions": [{"lang": "en", "value": "ToolHive is a utility designed to simplify the deployment and management of Model Context Protocol (MCP) servers. Due to the ordering of code used to start an MCP server container, versions of ToolHive prior to 0.0.33 inadvertently store secrets in the run config files which are used to restart stopped containers. This means that an attacker who has access to the home folder of the user who starts the MCP server can read secrets without needing access to the secrets store itself. This only applies to secrets which were used in containers whose run configs exist at a point in time - other secrets remaining inaccessible. ToolHive 0.0.33 fixes the issue. Some workarounds are available. Stop and delete any running MCP servers, or manually remove any runconfigs from `$HOME/Library/Application Support/toolhive/runconfigs/` (macOS) or `$HOME/.state/toolhive/runconfigs/` (Linux)."}], "source": {"advisory": "GHSA-xj5p-w2v5-fjm6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-12T21:43:07.365806Z", "id": "CVE-2025-47274", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-12T22:06:42.029Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-47274", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-12T21:43:07.365806Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-12T21:45:30.655Z"}}], "cna": {"title": "ToolHive stores secrets in the state store with no encryption", "source": {"advisory": "GHSA-xj5p-w2v5-fjm6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.4, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "stacklok", "product": "toolhive", "versions": [{"status": "affected", "version": "< 0.0.33"}]}], "references": [{"url": "https://github.com/stacklok/toolhive/security/advisories/GHSA-xj5p-w2v5-fjm6", "name": "https://github.com/stacklok/toolhive/security/advisories/GHSA-xj5p-w2v5-fjm6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/stacklok/toolhive/commit/e8efa1b1d7b0776a39339257d30bf6c4a171f2b8", "name": "https://github.com/stacklok/toolhive/commit/e8efa1b1d7b0776a39339257d30bf6c4a171f2b8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/stacklok/toolhive/releases/tag/v0.0.33", "name": "https://github.com/stacklok/toolhive/releases/tag/v0.0.33", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ToolHive is a utility designed to simplify the deployment and management of Model Context Protocol (MCP) servers. Due to the ordering of code used to start an MCP server container, versions of ToolHive prior to 0.0.33 inadvertently store secrets in the run config files which are used to restart stopped containers. This means that an attacker who has access to the home folder of the user who starts the MCP server can read secrets without needing access to the secrets store itself. This only applies to secrets which were used in containers whose run configs exist at a point in time - other secrets remaining inaccessible. ToolHive 0.0.33 fixes the issue. Some workarounds are available. Stop and delete any running MCP servers, or manually remove any runconfigs from `$HOME/Library/Application Support/toolhive/runconfigs/` (macOS) or `$HOME/.state/toolhive/runconfigs/` (Linux)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-311", "description": "CWE-311: Missing Encryption of Sensitive Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-12T14:57:46.781Z"}}}, "cveMetadata": {"cveId": "CVE-2025-47274", "state": "PUBLISHED", "dateUpdated": "2025-05-12T22:06:42.029Z", "dateReserved": "2025-05-05T16:53:10.372Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-12T14:57:46.781Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ToolHive is a utility designed to simplify the deployment and management of Model Context Protocol (MCP) servers. Due to the ordering of code used to start an MCP server container, versions of ToolHive prior to 0.0.33 inadvertently store secrets in the run config files which are used to restart stopped containers. This means that an attacker who has access to the home folder of the user who starts the MCP server can read secrets without needing access to the secrets store itself. This only applies to secrets which were used in containers whose run configs exist at a point in time - other secrets remaining inaccessible. ToolHive 0.0.33 fixes the issue. Some workarounds are available. Stop and delete any running MCP servers, or manually remove any runconfigs from `$HOME/Library/Application Support/toolhive/runconfigs/` (macOS) or `$HOME/.state/toolhive/runconfigs/` (Linux)."}], "id": "CVE-2025-47274", "lastModified": "2025-05-12T17:32:32.760", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-05-12T15:16:01.530", "references": [{"source": "[email protected]", "url": "https://github.com/stacklok/toolhive/commit/e8efa1b1d7b0776a39339257d30bf6c4a171f2b8"}, {"source": "[email protected]", "url": "https://github.com/stacklok/toolhive/releases/tag/v0.0.33"}, {"source": "[email protected]", "url": "https://github.com/stacklok/toolhive/security/advisories/GHSA-xj5p-w2v5-fjm6"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-311"}], "source": "[email protected]", "type": "Primary"}]}

{}