Noma Security — ContextCrush in Context7 MCP server
AI relevance: Context7 is an MCP server that injects library docs into IDE agents; poisoning its “custom rules” lets attackers steer tool-using agents to run commands or exfiltrate data on developer machines.
- Noma Security disclosed ContextCrush, a vulnerability in Context7, a popular MCP server for library documentation delivery to coding assistants.
- Context7 operates both the registry (where library owners publish docs/rules) and the trusted delivery channel to agents.
- The flaw sits in the Custom Rules / AI Instructions feature, which were served verbatim with no sanitization or filtering.
- An attacker can publish malicious rules for a library, and every agent querying that library receives the payload as trusted context.
- The MCP server itself exposes only read-only tools, but the IDE agent executes the instructions using its own tool access (shell, files, network).
- Noma reports the issue was fixed within two days and saw no evidence of active exploitation at disclosure time.
Why it matters
- MCP tool output is treated as trusted context, so a registry-level compromise becomes a supply‑chain prompt injection vector.
- Context7’s popularity (tens of thousands of stars and millions of downloads) means a single poisoned rule can reach a large developer base.
- Agent workflows blur the line between “docs” and “instructions,” widening the blast radius beyond traditional prompt-injection paths.
What to do
- Update: ensure you’re on the patched Context7 MCP server release.
- Fence tool outputs: apply sanitization, content filtering, or rule allowlists before feeding MCP output into agents.
- Limit agent power: sandbox agent tool access and remove default shell/network permissions unless required.
- Monitor: log and review agent tool calls for unusual file access or outbound traffic after doc lookups.