Skip to content

[Security] Cross-AI provenance gap in generate_commit_message output — requesting private disclosure channel #9

Description

@victorvalentine415-ai

Hi,

Reporting a security finding privately. GHSA / private vulnerability reporting isn't enabled on this repo — happy to move to whichever channel you prefer (email, encrypted, security.txt contact).

Class: Cross-AI silent callout — the commit-message generation tool forwards the staged diff to an external LLM (OpenAI / Anthropic / configured provider) and returns the synthesized message as plain text, with no provider / model / ai_generated: true markers on the returned content. The host agent that drives the commit flow cannot distinguish deterministic tool output from second-LLM synthesis — which becomes load-bearing because commit messages are then auto-applied. A poisoned diff hunk (e.g. an attacker-controlled file content or a comment in an otherwise innocent change) can steer the synthesizer to emit a misleading commit message, or, in the worst case, a message that exfiltrates context by encoding it in the message body.

Severity estimate: Medium-High (auto-commit auto-application surface; poisoned diff steers commit-message synthesis — low-friction propagation into git history).

Scope: Static-analysis finding. No live exploitation performed on any deployed instance.

What I need: A channel to send the full writeup with file + line references and a suggested fix (provenance-wrap the returned commit message, label generator: "<provider>:<model>", pass the untrusted diff through a clear [UNTRUSTED_INPUT]...[/UNTRUSTED_INPUT] delimiter, and require an explicit host-agent confirmation step before auto-apply).

Channel: Email to victor.valentine415@gmail.com (CC: seanv415@gmail.com) is fine, or any channel you prefer.

Context: This is part of a larger MCP ecosystem audit (62+ findings across 8 rounds, same vulnerability class). Related disclosures already coordinated with: getzep/graphiti (GHSA-grj2-r92j-f256), perplexityai/modelcontextprotocol (GHSA-r55g-g74v-4m2m), sooperset/mcp-atlassian (GHSA-f4p7-qx46-wc5j), plus direct email to Notion, Jina, and Sentry security inboxes.

Thanks for building this. Happy to coordinate disclosure timing that suits you.

— Sean Valentine

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions