GHSA-52vm-mxx8-f227: Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths
Summary
Phantom version 1.3.0 and earlier had two security flaws: AI agents could write files anywhere on a developer's computer (including files that run code when the system starts), and the audio processing tools could be crashed by tricking them into expanding tiny compressed files into huge amounts of data. Both issues are caused by missing safety checks on file paths and audio input sizes.
Solution / Mitigation
Update to Phantom 1.3.1, which confines all file writes to PHANTOM_OUTPUT_DIR (with a default of ~/.phantom/output), adds size and duration limits to audio decoding on all paths, and uses atomic file creation with symlink protection. As a temporary workaround before updating, set PHANTOM_OUTPUT_DIR and optionally PHANTOM_AUDIO_DIR to dedicated directories before starting the server.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-52vm-mxx8-f227
First tracked: July 9, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 85%