Do not open a GitHub issue for security vulnerabilities.
Report vulnerabilities by email to security@radimsemerak.cz. Include as much detail as possible:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a minimal proof-of-concept
- The affected component (see scope below)
- Any suggested mitigations, if you have them
You will receive an acknowledgment within 48 hours. We will then work with you to understand the issue, develop a fix, and agree on a disclosure timeline before anything is made public (coordinated disclosure).
The following components are in scope:
| Component | Examples |
|---|---|
| Injection guard | Bypassing the metacharacter blocklist (`; |
| Path confinement | Escaping the project root via traversal, symlinks, or canonicalization tricks |
| Path blocklist | Reading .env, *.pem, *.key, or other blocked file types |
| Env blocklist | Injecting LD_PRELOAD, DYLD_*, or other blocked environment variables |
| Sandbox escape | Breaking out of the BubbleWrap (Linux) or sandbox-exec (macOS) isolation layer |
| Elicitation bypass | Triggering destructive tool execution without user approval |
| MCP protocol | Malicious MCP requests that bypass validation or cause unintended execution |
The following are out of scope:
- Vulnerabilities in third-party binaries wrapped by Mithril (
rtk,git,cargo,docker, etc.) — report those upstream - Vulnerabilities in the CI/CD tooling or GitHub Actions configuration unless they directly affect Mithril's security model
- Denial-of-service via resource exhaustion (timeout and output limits are a known trade-off, not a vulnerability)
We follow coordinated disclosure: the reporter and maintainer agree on a fix and a public disclosure date before any details are shared publicly. We aim to resolve confirmed vulnerabilities promptly and will credit reporters in the release notes unless anonymity is preferred.
We consider good-faith security research on Mithril to be a valuable contribution. If you act in good faith — limiting testing to your own environment, not accessing or modifying data you do not own, and reporting promptly — we will not pursue legal action related to your research.