Model Context Protocol Registry OCI Ownership Validation Bypass Vulnerability

A vulnerability in the Model Context Protocol (MCP) Registry's handling of Open Container Initiative (OCI) image ownership validation has been identified. Prior to version 1.7.9, the registry's validation process failed to properly check ownership when the upstream OCI registry responded with a HTTP 429 status, indicating that the registry had been rate-limited. This oversight allowed authenticated publishers to falsely claim ownership of OCI images by binding them to their namespace, without actually controlling those images. The vulnerability arises because the label-match check, which serves as the only cross-system ownership proof for OCI packages, is skipped during rate-limit responses. As a result, publishers could exploit this behavior to impersonate authorship of unrelated images, creating a typo-squatting risk on registry search and discovery surfaces.

Impact

Exploiting this vulnerability allows an authenticated publisher to bypass the only ownership validation for OCI packages, claiming any public OCI image from a allowlisted registry under their own namespace, without actual control over the image. This misrepresentation can lead to impersonation or typo-squatting, as the registry search results will incorrectly associate the claimed image with the publisher.

Reproduction

The vulnerability can be reproduced by following these steps: 1. Create a free GitHub account. 2. Obtain a registry JWT by exchanging a GitHub OAuth access token through the '/v0/auth/github-at' endpoint. 3. From a single IP address, send approximately 100 publish requests that reference real public Docker Hub images lacking the required 'io.modelcontextprotocol.server.name' label. This will consume the registry's anonymous quota for Docker Hub, causing subsequent requests to be rate-limited. 4. While the IP is still rate-limited, send a publish request that claims an unrelated Docker Hub image under the 'io.github.<attacker>/<typo-squat-name>' namespace. The 'ValidateOCI' function will skip the ownership check due to the 429 response, allowing the publish to be accepted without verification. 5. The published server record will incorrectly assert ownership of the Docker Hub image, despite the absence of any label proof.

Remediation

Users are advised to update to version 1.7.9 or later, where this vulnerability has been fixed.