Advisories for Pypi/Phantom-Audio package

2026

Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths

In Phantom <= 1.3.0, when PHANTOM_OUTPUT_DIR was unset (the default), the MCP tools accepted arbitrary absolute output paths with no confinement. Anything able to send tool calls (e.g. an AI agent driving the MCP interface) could write or overwrite arbitrary files the process user can write — including shell startup files (~/.zshrc) or a Reaper __startup.lua, which is effectively local code execution on a developer workstation. Separately, the stem-separation and …