DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-52VM-MXX8-F227: GHSA-52vm-mxx8-f227: Arbitrary File Write and Decompression Denial of Service in phantom-audio

GHSA-52vm-mxx8-f227: Arbitrary File Write and Decompression Denial of Service in phantom-audio

Vulnerability ID: GHSA-52VM-MXX8-F227
CVSS Score: 7.7
Published: 2026-07-09

GHSA-52vm-mxx8-f227 is a dual-vector security flaw in phantom-audio (<= 1.3.0). The vulnerability allows arbitrary file writes due to unconfined Model Context Protocol (MCP) tool paths when the PHANTOM_OUTPUT_DIR environment variable is not defined. Concurrently, the platform lacks validation controls during the decompression of highly compressed audio files, resulting in resource-exhaustion denial of service and downstream parsing vulnerability exposure.

TL;DR

The phantom-audio package (<= 1.3.0) lacks path-confinement controls for its MCP tool paths and has no restriction limits on audio decompression size. Attackers manipulating AI agents can overwrite critical files to obtain local code execution, or cause severe denial-of-service conditions via decompression bombs.


⚠️ Exploit Status: POC

Technical Details

  • Vulnerability ID: GHSA-52vm-mxx8-f227
  • CWE Mapping: CWE-22, CWE-73, CWE-400
  • Attack Vector: Local (via manipulation of AI Agent prompt instructions or direct file ingestion)
  • CVSS Severity: 7.7 (High)
  • CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Exploit Status: Proof of Concept / Analytical
  • Impact Category: Arbitrary File Writes, Local Code Execution (LCE), Denial of Service (DoS)

Affected Systems

  • Workstations running phantom-audio version 1.3.0 or prior as an MCP service
  • Developer environments integrating automated AI agent tools using phantom-audio components
  • phantom-audio: <= 1.3.0 (Fixed in: 1.3.1)

Mitigation Strategies

  • Upgrade to phantom-audio version 1.3.1 or newer to enforce system-level path verification.
  • Explicitly define PHANTOM_OUTPUT_DIR and PHANTOM_AUDIO_DIR in the environment to establish restricted sandbox paths.
  • Run the MCP server processes inside isolated Docker containers or local gVisor runtimes to limit filesystem access.
  • Implement restrictive file permissions on terminal initialization files (~/.zshrc, ~/.bashrc) to prevent unexpected modifications.

Remediation Steps:

  1. Run 'pip install --upgrade phantom-audio' to deploy the patched 1.3.1 release.
  2. Identify active configurations running the MCP server process.
  3. Set environment bounds by executing: export PHANTOM_OUTPUT_DIR="/tmp/phantom_sandbox/output" before starting the server.
  4. Verify directory limits by invoking write test queries targeting absolute boundaries outside the designated output folder.

References


Read the full report for GHSA-52VM-MXX8-F227 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)