Listen to this Post
The vulnerability resides in Repomix’s MCP server implementation, specifically within the interaction between the `attach_packed_output` and `read_repomix_output` tools. The server exposes a `file_system_read_file` tool that enforces a safety check by running `runSecretLint()` on any file before returning its content, blocking files that contain sensitive information. However, the `attach_packed_output` tool provides an alternative path for registering local files as “packed outputs” without invoking the same security validation.
The `attach_packed_output` tool accepts a file path and resolves it using resolveOutputFilePath(), which permits any file with extensions .json, .txt, .md, or .xml. It reads the file via `fs.readFile(outputFilePath, ‘utf8’)` and attempts to parse it as a Repomix output. Critically, malformed or non-Repomix JSON files are not rejected; they simply produce empty metrics and are still registered. The tool then calls formatPackToolResponse(), which registers the original file path under a generated `outputId` in the runtime registry. Subsequently, the `read_repomix_output` tool resolves this `outputId` and returns the full content of the registered file.
This creates a clear bypass: an attacker or lower‑trust AI action with MCP tool‑call capability can use `attach_packed_output` on a sensitive local file (e.g., credentials.json), receive an outputId, and then invoke `read_repomix_output` to exfiltrate the file’s contents. The direct `file_system_read_file` path would have triggered the secret scan and potentially blocked the read, but the packed‑output flow circumvents this guard entirely. The root cause is that the safety boundary is implemented per‑tool rather than as a global file‑access policy, and `attach_packed_output` lacks both a validation of the file being a genuine Repomix output and a secret‑lint check before registration.
The affected component is the MCP server in `[email protected]` (commit adf5a12). The issue is documented in the project’s README as providing secure access to packed outputs, but the implementation does not uphold that guarantee. Exploitation does not require shell access or file writes; it only needs the ability to call MCP tools on a server with local filesystem access. This poses a medium‑severity risk in environments where AI assistants interact with the MCP server, as it could leak configuration files, tokens, or other plaintext data with supported extensions.
DailyCVE Form:
Platform: Repomix MCP
Version: 1.14.0
Vulnerability: File Read Bypass
Severity: Medium
date: 2026-07-01
Prediction: 2026-07-15
What Undercode Say:
Reproduction script (run.sh)
!/usr/bin/env bash
set -euo pipefail
set +e
node run.js 2>&1 | tee transcript.txt
rc=${PIPESTATUS[bash]}
set -e
printf '%s\n' "$rc" > exit-code.txt
exit "$rc"
// Source trace of the vulnerability chain // fileSystemReadFileTool.ts:72-83 - runs runSecretLint() // attachPackedOutputTool.ts:76-87 - accepts file based only on extension // attachPackedOutputTool.ts:111-120 - supported extensions: .json, .txt, .md, .xml // attachPackedOutputTool.ts:228-240 - JSON parse errors return empty metrics (no rejection) // attachPackedOutputTool.ts:272-308 - reads file without secret check // mcpToolRuntime.ts:77-82 - registers outputFilePath // readRepomixOutputTool.ts:56-74 - reads registered file and returns content
Observed transcript from reproduction:
ATTACH_TOOL_SOURCE_READS_FILE=true ATTACH_TOOL_HAS_SECRETLINT_CHECK=false READ_FILE_TOOL_HAS_SECRETLINT_CHECK=true RUNTIME_REGISTERS_OUTPUT_PATH=true ATTACH_ACCEPTS_JSON_EXTENSION=true ATTACHED_NON_REPOMIX_JSON_PATH=true SENTINEL_READ_BACK=true REPOMIX_ATTACH_PACKED_OUTPUT_ARBITRARY_JSON_READ_REPRODUCED=true
Exploit:
- Identify a local file with a supported extension (
.json,.txt,.md,.xml) that contains sensitive information, e.g.,/path/to/credentials.json. - Invoke the MCP tool `attach_packed_output` with the absolute path to that file.
- The tool accepts the file based on its extension, reads it, and registers it under a generated `outputId` without running `runSecretLint()` or validating it as a genuine Repomix output.
4. Capture the returned `outputId`.
5. Call `read_repomix_output` with that `outputId`.
- The tool resolves the ID and returns the full content of the original file, bypassing the safety check that would have been applied by
file_system_read_file.
Protection:
- Modify `attach_packed_output` to validate that the input file is a legitimate Repomix packed output (e.g., by checking for a specific header or schema) and reject malformed or non‑Repomix files instead of registering them with empty metrics.
- Apply the same `runSecretLint()` check used by `file_system_read_file` to all file‑read paths, including the registration step in `attach_packed_output` and the retrieval step in
read_repomix_output. - Consider storing a content snapshot (rather than a file path) in the runtime registry, so that later reads do not re‑access the filesystem and thus cannot bypass per‑read security checks.
- Alternatively, unify the file‑access logic under a single, centrally enforced safety boundary that all tools must invoke before returning any file content.
Impact:
In the MCP threat model, an attacker or lower‑trust AI action with tool‑call capability can read arbitrary local JSON, text, Markdown, or XML files through the `attach_packed_output` → `read_repomix_output` flow, bypassing the secret‑scanning protection of the direct file‑read tool. This can expose sensitive project configuration, tokens, credentials, local tool settings, or other plaintext files with supported extensions. The attack does not require shell execution or file writes; it only requires MCP tool‑call access against a Repomix server running with local filesystem access. This undermines the security boundary documented for the packed‑output feature and can lead to information disclosure in AI‑assisted development environments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

