Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/rtk-ai/rtk) · only source for this CVE.
CVSS VectorVendor: https://github.com/rtk-ai/rtk
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
RTK (Rust Token Killer) improperly trusts project-local configuration files. In versions prior to 0.32.0, RTK automatically loads .rtk/filters.toml from the working directory with highest priority and without user notification. An attacker can place a malicious filter file in a repository to apply regex-based modifications (e.g., strip_lines_matching) to shell command output before it is shown to the LLM, without any indication that the output has been modified.
This allows attackers to selectively suppress or alter command output (including file contents, diffs, and security scan results) without detection, potentially concealing malicious code during AI-assisted development or review.
Patch
Fixed in v0.32.0 (PRs #623, #625):
.rtk/filters.tomlis now blocked by default when untrusted, with a visible warning:[rtk] WARNING: untrusted project filters - Filters NOT applied. Run rtk trust to review and enable.- SHA-256 hash verification: if the file changes after trust, filters are blocked again until re-reviewed.
- New
rtk trust/rtk untrustcommands for explicit user consent. - Trust store implemented in
src/trust.rs; trust gate added insrc/toml_filter.rs.
AnalysisAI
Silent output manipulation in RTK (Rust Token Killer) prior to v0.32.0 allows an attacker who can place a file in a repository to intercept and alter all shell command output before it reaches an LLM during AI-assisted development. The root cause is that RTK unconditionally loaded .rtk/filters.toml from the current working directory with highest priority and no user notification, enabling regex-based suppression or rewriting of file contents, diffs, and security scan results. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the attack surface - repository-committed config files silently hijacking LLM context - is particularly relevant to AI-assisted development pipelines where developers may not scrutinize every checked-in config.
Technical ContextAI
RTK is a Rust CLI tool (pkg:rust/rtk) designed to preprocess and filter token streams before they are passed to a large language model. It supports a layered configuration system, with project-local .rtk/filters.toml loaded from the current working directory at highest priority. In versions prior to 0.32.0, this file was read and applied unconditionally via std::fs::read_to_string in src/toml_filter.rs without any trust verification or user consent step. The root cause maps to CWE-345 (Insufficient Verification of Data Authenticity): RTK failed to distinguish between configuration files the user had explicitly reviewed and untrusted files introduced by third parties. Filter primitives such as strip_lines_matching and replace allow arbitrary regex-based transformation of any string passed through the pipeline, making it straightforward to suppress security scanner output, redact diff hunks, or rewrite file contents - all silently. The fix in v0.32.0 introduces a SHA-256 trust store in src/trust.rs and a trust gate in src/toml_filter.rs that blocks filter application unless the user has explicitly run rtk trust against a specific file hash.
RemediationAI
Upgrade RTK to version 0.32.0 or later, which is the vendor-released patch confirmed by GHSA-fvvm-949w-qj4w (https://github.com/rtk-ai/rtk/security/advisories/GHSA-fvvm-949w-qj4w) and PRs #623 and #625. After upgrading, any repository containing .rtk/filters.toml will produce a visible warning and filters will not be applied until the user explicitly runs rtk trust in that directory. For users who cannot immediately upgrade, a compensating control is to manually inspect any .rtk/filters.toml present in repositories before running RTK, and to avoid running pre-0.32.0 RTK in directories cloned from untrusted sources. CI pipelines that legitimately need project filters can set RTK_TRUST_PROJECT_FILTERS=1 as documented in the patched src/trust.rs, but this should only be applied to repositories with verified, controlled content. There is no network-level mitigation available since the attack is filesystem-based.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38572
GHSA-fvvm-949w-qj4w