Note: This issue documents a vulnerability that was originally reported privately as the repository security advisory GHSA-2j2p-pgfg-h6vp by @pbeza.
Root Cause
The guest agent's get_key RPC endpoint returns raw secp256k1/ed25519 private key bytes over a shared Unix socket (/run/dstack/guest-agent.sock). The derivation path is entirely caller-controlled, there is no authentication, no per-container isolation, and no rate limiting. Any process that can access the Unix socket can derive arbitrary keys, including the signing key used for VM identity (path "vms").
Attack Path
- Attacker compromises any container running inside the CVM (e.g., via a web application vulnerability)
- Compromised container connects to
/run/dstack/guest-agent.sock
- Attacker calls
get_key with path = "vms" and algorithm = "secp256k1" to get the VM signing key
- Attacker calls
get_key with arbitrary paths to derive additional keys
- Attacker now holds private keys that can impersonate the CVM or sign arbitrary messages
Impact
Any compromised container in the CVM can extract all derived private keys. The guest agent provides no isolation between containers — a vulnerability in any workload running in the CVM gives the attacker access to all cryptographic keys, including the VM identity key.
Suggested Fix
- Implement per-container key isolation — derive keys using a container-specific context (e.g., container ID or cgroup path)
- Add access control on the Unix socket (e.g., per-container sockets with different permissions)
- Consider returning only public keys and providing a
sign operation instead of exposing raw private keys
- Add rate limiting to prevent key enumeration
Note: This finding was reported automatically as part of an AI/Claude-driven internal audit by the NEAR One MPC team. It has not been manually verified by a human to confirm whether it constitutes an actual security issue.
Root Cause
The guest agent's
get_keyRPC endpoint returns raw secp256k1/ed25519 private key bytes over a shared Unix socket (/run/dstack/guest-agent.sock). The derivation path is entirely caller-controlled, there is no authentication, no per-container isolation, and no rate limiting. Any process that can access the Unix socket can derive arbitrary keys, including the signing key used for VM identity (path "vms").Attack Path
/run/dstack/guest-agent.sockget_keywithpath = "vms"andalgorithm = "secp256k1"to get the VM signing keyget_keywith arbitrary paths to derive additional keysImpact
Any compromised container in the CVM can extract all derived private keys. The guest agent provides no isolation between containers — a vulnerability in any workload running in the CVM gives the attacker access to all cryptographic keys, including the VM identity key.
Suggested Fix
signoperation instead of exposing raw private keys