{"data":{"id":"6d98e40e-c4f1-465a-a12a-43970b64e2ae","title":"GHSA-2c7f-fxww-6w6c: yutu: Arbitrary File Write via MCP `caption-download` Tool","summary":"The yutu MCP tool `caption-download` has a vulnerability where it writes downloaded files to any path specified by an attacker, bypassing the `YUTU_ROOT` directory boundary that should confine all file operations. Unlike other caption methods that properly use `pkg.Root.Open()` to restrict file access, `Caption.Download()` directly calls `os.Create()` on the attacker-supplied file path, allowing arbitrary file writes anywhere the yutu process has permission to write (CVSS 7.7, high severity).","solution":"Change line 272 in `pkg/caption/caption.go` from `file, err := os.Create(c.File)` to `file, err := pkg.Root.OpenFile(c.File, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)` to confine file creation to the `pkg.Root` boundary, matching the approach used in other caption methods.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-2c7f-fxww-6w6c","publishedAt":"2026-07-14T19:34:47.000Z","cveId":"CVE-2026-50158","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["github.com/eat-pray-ai/yutu@< 0.10.9-dev1 (fixed: 0.10.9-dev1)"],"affectedVendors":[],"affectedVendorsRaw":["yutu"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-07-14T19:34:47.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0010"]}}