GHSA-2c7f-fxww-6w6c: yutu: Arbitrary File Write via MCP `caption-download` Tool
Summary
The yutu MCP tool `caption-download` has a vulnerability where it writes downloaded files to any path specified by an attacker, bypassing the `YUTU_ROOT` directory boundary that should confine all file operations. Unlike other caption methods that properly use `pkg.Root.Open()` to restrict file access, `Caption.Download()` directly calls `os.Create()` on the attacker-supplied file path, allowing arbitrary file writes anywhere the yutu process has permission to write (CVSS 7.7, high severity).
Solution / Mitigation
Change line 272 in `pkg/caption/caption.go` from `file, err := os.Create(c.File)` to `file, err := pkg.Root.OpenFile(c.File, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)` to confine file creation to the `pkg.Root` boundary, matching the approach used in other caption methods.
Vulnerability Details
EPSS: 0.0%
Yes
July 14, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-2c7f-fxww-6w6c
First tracked: July 14, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%