AESI: ANSI Escape Sequence Injection

The MCP server fetches content from external URLs and relays it into model-consumable fields without stripping or neutralizing ANSI escape sequences. An attacker embeds terminal control codes in the hosted payload to hide injection instructions from the human operator's terminal view while leaving them intact in the byte stream the LLM consumes.

This creates a split-perception condition: the operator sees clean, benign output, while the model receives and may act on concealed attacker directives. Affected locations include MCP tools, resources, and prompt templates whose input schema includes a URL or URI parameter that causes the server to make an outbound request and return fetched content.

Model-consumable return paths include resources/read result.contents[].text and result.contents[].blob with text MIME types, tools/call result.content[].text and result.content[].resource text or blob fields with text MIME types, and prompts/get result.messages[].content text fields.

This vulnerability allows an attacker to:

• Override model instructions
• Exfiltrate sensitive data
• Invoke unintended tools
• Bypass approval mechanisms
• Produce misleading output

The issue can be found in MCP server responses on the server side.

• Treat all fetched content as untrusted.
• Never relay external content into model-consumable fields without inspection and transformation.
• Strip ANSI control sequences at the server return path, including CSI sequences such as \x1b[...], OSC sequences such as \x1b], DCS sequences such as \x1bP, and single-byte C1 control characters from 0x80 through 0x9F.
• Wrap fetched content in explicit provenance markers so the model and client can distinguish external data from instructions.
• Limit the tools and filesystem access available to agents when they process content from external sources.

• CWE-116
• CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

• https://cwe.mitre.org/data/definitions/116.html
• https://cwe.mitre.org/data/definitions/1427.html