GHSA-52VM-MXX8-F227

Vulnerability from github – Published: 2026-07-09 13:37 – Updated: 2026-07-09 13:37
VLAI
Summary
Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths
Details

Impact

In Phantom <= 1.3.0, when PHANTOM_OUTPUT_DIR was unset (the default), the MCP tools accepted arbitrary absolute output paths with no confinement. Anything able to send tool calls (e.g. an AI agent driving the MCP interface) could write or overwrite arbitrary files the process user can write — including shell startup files (~/.zshrc) or a Reaper __startup.lua, which is effectively local code execution on a developer workstation.

Separately, the stem-separation and render paths decoded input audio with no size/duration cap (the analysis path was already guarded). A small, highly compressed FLAC/OGG could expand to multi-gigabyte PCM, causing memory-exhaustion DoS, and widened exposure to decoder bugs including libsndfile CVE-2026-37555.

Patches

Fixed in 1.3.1: - File writes are always confined to PHANTOM_OUTPUT_DIR (default ~/.phantom/output); symlinks resolved and re-verified on the final path. - Decode/duration/size guards mirrored onto the separation and render paths (plus ffmpeg -max_alloc/-t/-fs). - Atomic O_CREAT|O_EXCL output creation in reference matching and symlink-TOCTOU hardening on confined input reads.

Workarounds

Set PHANTOM_OUTPUT_DIR (and optionally PHANTOM_AUDIO_DIR) to dedicated directories before starting the server.

Credit

Found during an internal security audit.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.3.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "phantom-audio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-400",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-09T13:37:34Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIn Phantom \u003c= 1.3.0, when `PHANTOM_OUTPUT_DIR` was unset (the default), the MCP tools accepted arbitrary absolute output paths with no confinement. Anything able to send tool calls (e.g. an AI agent driving the MCP interface) could **write or overwrite arbitrary files** the process user can write \u2014 including shell startup files (`~/.zshrc`) or a Reaper `__startup.lua`, which is effectively local code execution on a developer workstation.\n\nSeparately, the stem-separation and render paths decoded input audio with no size/duration cap (the analysis path was already guarded). A small, highly compressed FLAC/OGG could expand to multi-gigabyte PCM, causing memory-exhaustion DoS, and widened exposure to decoder bugs including libsndfile CVE-2026-37555.\n\n### Patches\nFixed in **1.3.1**:\n- File writes are always confined to `PHANTOM_OUTPUT_DIR` (default `~/.phantom/output`); symlinks resolved and re-verified on the final path.\n- Decode/duration/size guards mirrored onto the separation and render paths (plus ffmpeg `-max_alloc`/`-t`/`-fs`).\n- Atomic `O_CREAT|O_EXCL` output creation in reference matching and symlink-TOCTOU hardening on confined input reads.\n\n### Workarounds\nSet `PHANTOM_OUTPUT_DIR` (and optionally `PHANTOM_AUDIO_DIR`) to dedicated directories before starting the server.\n\n### Credit\nFound during an internal security audit.",
  "id": "GHSA-52vm-mxx8-f227",
  "modified": "2026-07-09T13:37:34Z",
  "published": "2026-07-09T13:37:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fadelabs/phantom/security/advisories/GHSA-52vm-mxx8-f227"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fadelabs/phantom"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…