RTK CVE-2026-45792
MEDIUM
GHSA-fvvm-949w-qj4w
Lifecycle Timeline
2DescriptionNVD
RTK (Rust Token Killer) improperly trusts project-local configuration files. In versions prior to 0.32.0, RTK automatically loads .rtk/filters.toml from the working directory with highest priority and without user notification. An attacker can place a malicious filter file in a repository to apply regex-based modifications (e.g., strip_lines_matching) to shell command output before it is shown to the LLM, without any indication that the output has been modified.
This allows attackers to selectively suppress or alter command output (including file contents, diffs, and security scan results) without detection, potentially concealing malicious code during AI-assisted development or review.
Patch
Fixed in v0.32.0 (PRs #623, #625):
.rtk/filters.tomlis now blocked by default when untrusted, with a visible warning:[rtk] WARNING: untrusted project filters - Filters NOT applied. Run rtk trust to review and enable.- SHA-256 hash verification: if the file changes after trust, filters are blocked again until re-reviewed.
- New
rtk trust/rtk untrustcommands for explicit user consent. - Trust store implemented in
src/trust.rs; trust gate added insrc/toml_filter.rs.
AnalysisAI
Silent output manipulation in RTK (Rust Token Killer) prior to v0.32.0 allows an attacker who can place a file in a repository to intercept and alter all shell command output before it reaches an LLM during AI-assisted development. The root cause is that RTK unconditionally loaded .rtk/filters.toml from the current working directory with highest priority and no user notification, enabling regex-based suppression or rewriting of file contents, diffs, and security scan results. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today