Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-52vm-mxx8-f227: Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths

0
High
Published: 07/09/2026 (07/09/2026, 13:37:34 UTC)
Source: GCVE Database
Product: phantom-audio

Description

Phantom versions up to 1.3.0 have a vulnerability where, if the PHANTOM_OUTPUT_DIR environment variable is unset, arbitrary absolute file paths can be written without confinement. This allows an attacker able to send tool calls to overwrite files writable by the process user, including shell startup files, enabling local code execution. Additionally, the audio decode paths lack size and duration limits, allowing specially crafted compressed audio files to cause memory exhaustion denial-of-service. These issues are fixed in version 1.3.1 by confining file writes, adding decode guards, and improving symlink handling.

CVSS v3.1

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected software

PyPIghsa
phantom-audio
Affected versions
<1.3.1

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/09/2026, 14:02:36 UTC

Technical Analysis

In Phantom <= 1.3.0, when PHANTOM_OUTPUT_DIR is unset, MCP tools accept arbitrary absolute output paths without confinement, enabling arbitrary file write by any entity able to send tool calls. This can overwrite critical user files such as shell startup scripts or Reaper __startup.lua files, effectively allowing local code execution on developer workstations. Separately, the stem-separation and render audio decode paths lack size and duration caps, allowing small compressed FLAC/OGG files to expand into multi-gigabyte PCM data, causing memory exhaustion denial-of-service and increasing exposure to decoder bugs like CVE-2026-37555 in libsndfile. The issues are addressed in Phantom 1.3.1 by confining file writes to PHANTOM_OUTPUT_DIR with symlink resolution and re-verification, adding decode/duration/size limits to separation and render paths, and hardening file creation and input reads against TOCTOU race conditions.

Potential Impact

An attacker able to send tool calls to the MCP interface can write or overwrite arbitrary files writable by the Phantom process user, including shell startup files and Reaper __startup.lua, enabling local code execution on developer workstations. Additionally, specially crafted compressed audio files can cause memory exhaustion denial-of-service due to unbounded decoding expansion. This also increases risk from decoder vulnerabilities such as CVE-2026-37555. These impacts can lead to system compromise and service disruption.

Mitigation Recommendations

A fix is available in Phantom version 1.3.1. Users should upgrade to 1.3.1 or later to ensure file writes are confined to PHANTOM_OUTPUT_DIR and decode operations have appropriate size and duration limits. As a workaround before upgrading, set PHANTOM_OUTPUT_DIR (and optionally PHANTOM_AUDIO_DIR) to dedicated directories prior to starting the server to limit exposure.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-52vm-mxx8-f227
Osv Schema Version
1.4.0
Aliases
[]
Ecosystems
["PyPI"]
Database Specific Severity
HIGH
Cvss Version
3.1

Threat ID: 6a4fa9a168715ace437d3dd4

Added to database: 07/09/2026, 14:01:05 UTC

Last enriched: 07/09/2026, 14:02:36 UTC

Last updated: 07/09/2026, 17:49:46 UTC

Views: 11

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses