Jul 9, 2026·5 min read·3 visits
The phantom-audio package (<= 1.3.0) lacks path-confinement controls for its MCP tool paths and has no restriction limits on audio decompression size. Attackers manipulating AI agents can overwrite critical files to obtain local code execution, or cause severe denial-of-service conditions via decompression bombs.
GHSA-52vm-mxx8-f227 is a dual-vector security flaw in phantom-audio (<= 1.3.0). The vulnerability allows arbitrary file writes due to unconfined Model Context Protocol (MCP) tool paths when the PHANTOM_OUTPUT_DIR environment variable is not defined. Concurrently, the platform lacks validation controls during the decompression of highly compressed audio files, resulting in resource-exhaustion denial of service and downstream parsing vulnerability exposure.
The Model Context Protocol (MCP) enables Large Language Models (LLMs) to programmatically interface with local system directories and executable tools. In the context of the phantom-audio ecosystem, an automated audio engineering framework, multiple tools are registered to handle post-production tasks such as stem separation, audio rendering, and direct file exportation. The attack surface is exposed directly through these registered tool boundaries, which process parameters passed from driving AI agents.
When the PHANTOM_OUTPUT_DIR environment variable is left undefined, the platform defaults to an unconfined state where absolute target file paths are accepted from the driving model. The application processes these requests natively, enabling write permissions to arbitrary storage locations within the context of the executing user's privileges.
In addition to path traversal, the package's ingestion engine handles compressed file streams (such as OGG or FLAC formats) for analysis. The decompression routines fail to validate logical boundaries, allowing small, highly compressed audio payloads to expand dynamically into multi-gigabyte structures in workstation memory, causing localized denial-of-service states.
The root cause of the arbitrary file write flaw lies in the path initialization logic of the MCP tool handlers. Upon startup, if PHANTOM_OUTPUT_DIR is not defined within the environment, the server fails to construct a restricted canonical base directory. Lacking this base directory, incoming path parameters are processed directly through platform-specific file writers without validation against target confinement rules.
The application does not invoke canonicalization functions like os.path.realpath or verify if target file paths resolve inside a dedicated sandbox directory. Consequently, when an agent-driven utility executes a write operation, the target path is used as-is, opening the possibility for path traversals (CWE-22) and external control of file names (CWE-73).
The second vulnerability, mapped to CWE-400, stems from uncontrolled resource consumption during the decoding phase of compressed audio files. Compressed formats leverage frequency-domain modeling to compress uniform silence or repetitive synthetic audio patterns. The phantom-audio ingestion pipelines do not check parameters like overall duration, frame-counts, or channel matrices before rawPCM expansion, causing immediate memory depletion upon parsing.
The original implementation of the file generation tool accepted absolute paths directly, executing unchecked write requests.
# VULNERABLE SYSTEM LOGIC (<= 1.3.0)
def handle_write_tool(arguments):
# Root Cause: Direct usage of the client-controlled argument path
target_path = arguments.get("output_path")
data = arguments.get("data")
with open(target_path, "wb") as f:
f.write(data)In version 1.3.1, path validation logic was added to enforce strict sandbox confinement using canonicalized path verification. To protect against Time-of-Check to Time-of-Use (TOCTOU) exploits such as symlink swapping, version 1.3.1 implements atomic writes via system-level descriptor options.
# SECURED LOGIC (1.3.1)
import os
def secure_handle_write_tool(arguments):
# 1. Fetch configured base directory, defaulting to home subfolder
base_dir = os.environ.get("PHANTOM_OUTPUT_DIR", os.path.expanduser("~/.phantom/output"))
canonical_base = os.path.realpath(base_dir)
# 2. Canonicalize the requested target path
requested_path = arguments.get("output_path")
canonical_target = os.path.realpath(requested_path)
# 3. Enforce strict directory prefix constraint
if not canonical_target.startswith(canonical_base + os.sep):
raise PermissionError("Access Denied: Path escapes sandbox boundary")
# 4. Use secure, atomic opening flags to block symlink redirections
data = arguments.get("data")
flags = os.O_WRONLY | os.O_CREAT | os.O_EXCL
file_descriptor = os.open(canonical_target, flags, 0o600)
with os.fdopen(file_descriptor, 'wb') as target_file:
target_file.write(data)Additionally, the decompression engine was modified to configure safe constraints on sub-process decoders like ffmpeg by implementing -max_alloc, -t (duration limits), and -fs (maximum file size) limits.
Exploitation of the file write vulnerability typically relies on indirect prompt injection. Because the MCP server is designed to process tasks for an LLM agent, an attacker can craft a malicious prompt injection payload within an untrusted audio file's metadata tags, or within a target code repository.
When the developer instructs the AI agent to analyze the affected directory or audio metadata, the agent parses the prompt injection payload. The injection directs the model to execute the file-writing tool, specifying a sensitive target path such as ~/.zshrc or ~/.bash_profile. The agent then executes the tool call, placing shell commands into the shell initialization script. The next time the user opens a shell session, the commands run under the user's execution scope.
The impact of the arbitrary write flaw is high, permitting Local Code Execution (LCE) on the developer's local workstation. Because developer environments contain sensitive operational assets (such as access tokens, environment keys, and SSH credentials), local execution compromises the integrity of connected CI/CD systems and code repositories.
The decompression bomb vector presents a predictable denial-of-service path. When large PCM structures saturate workstation RAM, the operating system invokes its Out-Of-Memory (OOM) killer, terminating the MCP application process and destabilizing concurrent host tasks.
Processing massive unvalidated memory buffers also increases exposure to parsing vulnerabilities. Underlying C-libraries like libsndfile and complex codecs in ffmpeg are prone to buffer overflows when handling malformed headers alongside bloated allocation limits, potentially facilitating host execution escape from the interpreter.
The most effective remediation is upgrading the local installation of phantom-audio to version 1.3.1. This release contains path canonicalization validations and secure resource allocation limitations.
For systems where immediate upgrades are not feasible, you can apply temporary environment variable workarounds. Explicitly setting both target directory boundaries restricts write parameters and overrides unconfined default behaviors.
Additionally, running the MCP service within sandboxed namespaces, such as isolated Docker containers or restricted system profiles, limits access to sensitive user configuration files like terminal profiles.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
phantom-audio fadelabs | <= 1.3.0 | 1.3.1 |
| Attribute | Detail |
|---|---|
| Vulnerability ID | GHSA-52vm-mxx8-f227 |
| CWE Mapping | CWE-22, CWE-73, CWE-400 |
| Attack Vector | Local (via manipulation of AI Agent prompt instructions or direct file ingestion) |
| CVSS Severity | 7.7 (High) |
| CVSS Vector String | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Exploit Status | Proof of Concept / Analytical |
| Impact Category | Arbitrary File Writes, Local Code Execution (LCE), Denial of Service (DoS) |
The software uses external input to construct a pathname that is intended to identify a directory or file that is located under a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location outside of the restricted directory.
The Netty-based HTTP Client in the Micronaut framework fails to enforce a maximum redirect ceiling by default when processing HTTP responses. This permits remote, attacker-controlled servers to trigger continuous, infinite redirect loops. The resulting recursion causes high CPU utilization, thread starvation, and potential memory exhaustion, inducing a Denial of Service (DoS) state in client-side applications.
An information disclosure vulnerability exists in the Micronaut Framework's HTTP client components. The client fails to clear sensitive authorization headers and cookies when following redirects across different origins. If an application using the vulnerable client communicates with an endpoint that issues a redirect to an external host, the client will forward the original credentials, leading to potential token theft and session hijacking.
An authenticated path traversal and arbitrary local file read vulnerability exists in Craft CMS versions 4.x up to 4.17.6 within the assets/icon endpoint and Assets helper classes. By exploiting this vulnerability, an authenticated user can traverse directories and read arbitrary .svg files on the server's filesystem, or execute Stored Cross-Site Scripting (XSS) if they can upload a malicious SVG.
CVE-2026-56382 is a high-severity remote code execution vulnerability in Craft CMS versions 5.5.0 through 5.9.13. The vulnerability exists within the FieldsController::actionRenderCardPreview() method due to a lack of sanitization of the user-supplied fieldLayoutConfig configuration array, permitting authenticated administrators to register arbitrary PHP callbacks using Yii2 event handler injection mechanisms. This issue has been fully remediated in version 5.9.14.
An insecure direct object reference (IDOR) and missing authorization validation check in the Gittensory REST API and Model Context Protocol (MCP) server allowed authenticated users to query arbitrary miner profiles, exposing sensitive cryptographic hotkeys and daily financial/economic yields.
Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.