Stored AESI: ANSI Escape Sequence Injection
| Details |
|---|
Severity: Medium
Test Name: Stored AESI: ANSI Escape Sequence Injection
Test ID: stored_aesi
Test Name: Stored AESI: ANSI Escape Sequence Injection
Test ID: stored_aesi
| Description |
|---|
The application stores attacker-controlled AESI payload content from an injection entrypoint and later returns it from an MCP model-consumable reflection field without stripping or neutralizing ANSI escape sequences. This allows an attacker to persist terminal control codes and hidden instruction text so that a human operator may see benign output while a downstream model receives and may act on concealed directives.
The issue is confirmed only when the ANSI bytes and payload instruction text survive in the recorded model-consumable field path.
| Impact |
|---|
This vulnerability allows an attacker to:
- Persist hidden instructions
- Override model instructions
- Exfiltrate sensitive data
- Invoke unintended tools
- Bypass approval mechanisms
- Produce misleading output
| Locations |
|---|
The issue can be found in MCP server responses on the server side, originating from data stored through a separate writable entry point.
| Remediation suggestions |
|---|
- Treat all stored and reflected content as untrusted before returning it through MCP tools, resources, or prompt templates.
- Strip ANSI control sequences from stored text before persistence and again at every MCP return path, including CSI sequences such as
\x1b[...], OSC sequences such as\x1b], DCS sequences such as\x1bP, and single-byte C1 control characters from 0x80 through 0x9F. - Keep clear provenance markers around reflected external content.
- Enforce least-privilege tool access for agents processing stored content.
- Prevent untrusted reflected data from being interpreted as model instructions.
| Classifications |
|---|
- CWE-116
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
| References |
|---|