GHSA-fvvm-949w-qj4w: RTK improperly trusts project-local filter configuration, allowing silent tampering of command output shown to LLM
Summary
RTK (Rust Token Killer, a tool that filters sensitive data before showing command output to an LLM) had a vulnerability where it automatically loaded filter configuration files from a project directory without asking the user first, allowing attackers to secretly modify what an LLM sees. An attacker could place a malicious filter file in a repository to hide or alter command output (like file contents or security scan results) without any warning, potentially concealing malicious code during development.
Solution / Mitigation
Fixed in v0.32.0 (PRs #623, #625): the `.rtk/filters.toml` file is now blocked by default with a visible warning stating '[rtk] WARNING: untrusted project filters — Filters NOT applied. Run rtk trust to review and enable.' The patch also adds SHA-256 hash verification (a cryptographic check ensuring the file hasn't changed) to re-block filters if the file is modified after being trusted, and introduces new `rtk trust` and `rtk untrust` commands to let users explicitly approve configuration files.
Vulnerability Details
EPSS: 0.0%
Yes
May 20, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-fvvm-949w-qj4w
First tracked: May 20, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%