GHSA-52vm-mxx8-f227: Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths
Impact
In Phantom <= 1.3.0, when PHANTOM_OUTPUT_DIR was unset (the default), the MCP tools accepted arbitrary absolute output paths with no confinement. Anything able to send tool calls (e.g. an AI agent driving the MCP interface) could write or overwrite arbitrary files the process user can write — including shell startup files (~/.zshrc) or a Reaper __startup.lua, which is effectively local code execution on a developer workstation.
Separately, the stem-separation and render paths decoded input audio with no size/duration cap (the analysis path was already guarded). A small, highly compressed FLAC/OGG could expand to multi-gigabyte PCM, causing memory-exhaustion DoS, and widened exposure to decoder bugs including libsndfile CVE-2026-37555.
Patches
Fixed in 1.3.1:
- File writes are always confined to PHANTOM_OUTPUT_DIR (default ~/.phantom/output); symlinks resolved and re-verified on the final path.
- Decode/duration/size guards mirrored onto the separation and render paths (plus ffmpeg -max_alloc/-t/-fs).
- Atomic O_CREAT|O_EXCL output creation in reference matching and symlink-TOCTOU hardening on confined input reads.
Workarounds
Set PHANTOM_OUTPUT_DIR (and optionally PHANTOM_AUDIO_DIR) to dedicated directories before starting the server.
Credit
Found during an internal security audit.
Details
Original advisory: https://github.com/advisories/GHSA-52vm-mxx8-f227
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10