Hi,
Reporting a security finding privately. GHSA / private vulnerability reporting isn't enabled on this repo — happy to move to whichever channel you prefer (email, encrypted, security.txt contact).
Class: Cross-AI silent callout — the review_code tool forwards source files to an external LLM (OpenAI / Claude / configured provider) and returns the synthesized review as plain text, with no provider / model / ai_generated: true markers on the returned content. The host agent (Claude/GPT in whatever client is calling this MCP) cannot distinguish deterministic tool output from second-LLM review, which opens a prompt-injection-via-second-LLM path: an attacker who lands a comment, docstring, or committed string in code under review can steer the review output to mark other code as safe or to recommend merge of vulnerable patterns.
Severity estimate: Medium-High (code-quality decision surface; poisoned input can steer merge decisions and security reviews).
Scope: Static-analysis finding. No live exploitation performed on any deployed instance.
What I need: A channel to send the full writeup with file + line references and a suggested fix (provenance-wrap the review output, label review_source: "<provider>:<model>", and pass the untrusted code through a clear [UNTRUSTED_INPUT]...[/UNTRUSTED_INPUT] delimiter wrapper in the prompt).
Channel: Email to victor.valentine415@gmail.com (CC: seanv415@gmail.com) is fine, or any channel you prefer.
Context: This is part of a larger MCP ecosystem audit (62+ findings across 8 rounds, same vulnerability class). Related disclosures already coordinated with: getzep/graphiti (GHSA-grj2-r92j-f256), perplexityai/modelcontextprotocol (GHSA-r55g-g74v-4m2m), sooperset/mcp-atlassian (GHSA-f4p7-qx46-wc5j), plus direct email to Notion, Jina, and Sentry security inboxes.
Thanks for building this. Happy to coordinate disclosure timing that suits you.
— Sean Valentine
Hi,
Reporting a security finding privately. GHSA / private vulnerability reporting isn't enabled on this repo — happy to move to whichever channel you prefer (email, encrypted, security.txt contact).
Class: Cross-AI silent callout — the
review_codetool forwards source files to an external LLM (OpenAI / Claude / configured provider) and returns the synthesized review as plain text, with noprovider/model/ai_generated: truemarkers on the returned content. The host agent (Claude/GPT in whatever client is calling this MCP) cannot distinguish deterministic tool output from second-LLM review, which opens a prompt-injection-via-second-LLM path: an attacker who lands a comment, docstring, or committed string in code under review can steer the review output to mark other code as safe or to recommend merge of vulnerable patterns.Severity estimate: Medium-High (code-quality decision surface; poisoned input can steer merge decisions and security reviews).
Scope: Static-analysis finding. No live exploitation performed on any deployed instance.
What I need: A channel to send the full writeup with file + line references and a suggested fix (provenance-wrap the review output, label
review_source: "<provider>:<model>", and pass the untrusted code through a clear[UNTRUSTED_INPUT]...[/UNTRUSTED_INPUT]delimiter wrapper in the prompt).Channel: Email to victor.valentine415@gmail.com (CC: seanv415@gmail.com) is fine, or any channel you prefer.
Context: This is part of a larger MCP ecosystem audit (62+ findings across 8 rounds, same vulnerability class). Related disclosures already coordinated with: getzep/graphiti (GHSA-grj2-r92j-f256), perplexityai/modelcontextprotocol (GHSA-r55g-g74v-4m2m), sooperset/mcp-atlassian (GHSA-f4p7-qx46-wc5j), plus direct email to Notion, Jina, and Sentry security inboxes.
Thanks for building this. Happy to coordinate disclosure timing that suits you.
— Sean Valentine