{"id":"GHSA-52vm-mxx8-f227","title":"Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths","summary":"Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths","severity":"high","cvss":7.7,"cwe":["CWE-22","CWE-73","CWE-400"],"vendor":"phantom-audio","product":"phantom-audio","ecosystem":"pip","affected":["phantom-audio <= 1.3.0"],"patched":["phantom-audio 1.3.1"],"published":"2026-07-09","updated":"2026-07-09","source":"GHSA","sourceUrl":"https://github.com/advisories/GHSA-52vm-mxx8-f227","references":[{"url":"https://github.com/fadelabs/phantom/security/advisories/GHSA-52vm-mxx8-f227"},{"url":"https://github.com/advisories/GHSA-52vm-mxx8-f227"}],"tags":["ghsa","pip"],"ingestedAt":"2026-07-09T13:51:05.201Z","slug":"GHSA-52vm-mxx8-f227","body":"## Overview\n\n### Impact\n\nIn Phantom <= 1.3.0, when `PHANTOM_OUTPUT_DIR` was unset (the default), the MCP tools accepted arbitrary absolute output paths with no confinement. Anything able to send tool calls (e.g. an AI agent driving the MCP interface) could **write or overwrite arbitrary files** the process user can write — including shell startup files (`~/.zshrc`) or a Reaper `__startup.lua`, which is effectively local code execution on a developer workstation.\n\nSeparately, the stem-separation and render paths decoded input audio with no size/duration cap (the analysis path was already guarded). A small, highly compressed FLAC/OGG could expand to multi-gigabyte PCM, causing memory-exhaustion DoS, and widened exposure to decoder bugs including libsndfile CVE-2026-37555.\n\n### Patches\nFixed in **1.3.1**:\n- File writes are always confined to `PHANTOM_OUTPUT_DIR` (default `~/.phantom/output`); symlinks resolved and re-verified on the final path.\n- Decode/duration/size guards mirrored onto the separation and render paths (plus ffmpeg `-max_alloc`/`-t`/`-fs`).\n- Atomic `O_CREAT|O_EXCL` output creation in reference matching and symlink-TOCTOU hardening on confined input reads.\n\n### Workarounds\nSet `PHANTOM_OUTPUT_DIR` (and optionally `PHANTOM_AUDIO_DIR`) to dedicated directories before starting the server.\n\n### Credit\nFound during an internal security audit.\n\n## Affected packages\n\n- `phantom-audio <= 1.3.0`\n\n## Remediation\n\nUpgrade to a patched release:\n\n- `phantom-audio 1.3.1`","depth":"twilight","depthScore":42,"depthScoreParts":{"impact":42.4,"likelihood":0,"exploitation":0,"ransomware":0},"changes":[]}