{"data":{"id":"d73db1e9-e1db-488e-821e-a73d32ea6ee4","title":"GHSA-52vm-mxx8-f227: Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths","summary":"Phantom version 1.3.0 and earlier had two security flaws: AI agents could write files anywhere on a developer's computer (including files that run code when the system starts), and the audio processing tools could be crashed by tricking them into expanding tiny compressed files into huge amounts of data. Both issues are caused by missing safety checks on file paths and audio input sizes.","solution":"Update to Phantom 1.3.1, which confines all file writes to PHANTOM_OUTPUT_DIR (with a default of ~/.phantom/output), adds size and duration limits to audio decoding on all paths, and uses atomic file creation with symlink protection. As a temporary workaround before updating, set PHANTOM_OUTPUT_DIR and optionally PHANTOM_AUDIO_DIR to dedicated directories before starting the server.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-52vm-mxx8-f227","publishedAt":"2026-07-09T13:37:34.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["phantom-audio@<= 1.3.0 (fixed: 1.3.1)"],"affectedVendors":[],"affectedVendorsRaw":["Phantom","MCP"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-07-09T13:37:34.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}