CVE-2025-47274 is a vulnerability affecting versions of the ToolHive utility prior to 0.0.33. ToolHive is designed to facilitate the deployment and management of Model Context Protocol (MCP) servers by automating container lifecycle operations. The vulnerability arises due to improper handling of secrets during the startup and restart process of MCP server containers. Specifically, the order of operations in the code causes secrets used by containers to be inadvertently stored in plaintext within the run configuration files. These run configuration files are persisted on disk in user-specific directories: `$HOME/Library/Application Support/toolhive/runconfigs/` on macOS and `$HOME/.state/toolhive/runconfigs/` on Linux. An attacker who gains access to the home directory of the user who initiated the MCP server can read these run configuration files and extract sensitive secrets without needing direct access to the dedicated secrets store. This exposure is limited to secrets associated with containers that have existing run configuration files at the time of inspection; secrets for containers without such files remain protected. The vulnerability is classified under CWE-311, indicating missing encryption of sensitive data. The issue was addressed in ToolHive version 0.0.33, which corrects the code execution order to prevent secrets from being written to disk in plaintext. Workarounds include stopping and deleting any running MCP servers or manually deleting run configuration files from the specified directories. The CVSS 4.0 base score is 2.4, reflecting a low severity primarily due to the requirement for local access to the user's home directory and limited scope of exposed secrets. No known exploits are currently reported in the wild.

For European organizations utilizing ToolHive to manage MCP servers, this vulnerability poses a risk of unauthorized disclosure of sensitive secrets if an attacker can gain local access to the user environment where ToolHive is run. The impact is primarily confidentiality loss, as secrets stored in run configuration files could include credentials or tokens used by MCP containers. While the vulnerability does not allow remote exploitation or privilege escalation, insider threats, compromised user accounts, or malware with user-level access could leverage this flaw to harvest secrets and potentially pivot to more critical systems. Given the niche use of ToolHive in managing MCP servers, the overall risk is limited but non-negligible for organizations relying on these technologies, especially those handling sensitive data or intellectual property. The exposure could undermine trust in containerized MCP deployments and complicate compliance with data protection regulations such as GDPR if secrets relate to personal data processing. The low CVSS score aligns with the limited attack vector and impact scope, but organizations should still address the vulnerability promptly to maintain a strong security posture.

To mitigate this vulnerability, European organizations should upgrade all ToolHive installations to version 0.0.33 or later, where the issue is fixed. Until upgrades can be applied, administrators should stop and delete any running MCP server containers managed by ToolHive to prevent further creation or use of vulnerable run configuration files. Additionally, manual removal of existing run configuration files from the user directories (`$HOME/Library/Application Support/toolhive/runconfigs/` on macOS and `$HOME/.state/toolhive/runconfigs/` on Linux) is recommended to eliminate stored secrets. Organizations should also enforce strict access controls on user home directories to prevent unauthorized local access. Monitoring for unusual local access patterns or privilege escalations can help detect attempts to exploit this vulnerability. Finally, consider segregating MCP server management to dedicated, secured user accounts with minimal privileges and isolating sensitive secrets using external secret management solutions that do not rely on local file storage.