ContextCrush Flaw Turns AI Documentation Into Malicious Instructions

Key Takeaways

• A flaw in the Context7 MCP Server could allow attackers to inject malicious instructions into AI coding assistants.
• The vulnerability exploited the platform’s “Custom Rules” feature that delivered instructions to AI agents without filtering.
• AI assistants could execute harmful actions such as data exfiltration or file deletion using developer system permissions.
• The issue was discovered by security researchers and patched by Upstash with additional filtering safeguards.
• No confirmed real-world exploitation has been reported at the time of disclosure.

Poisoned Documentation Could Hijack AI Coding Assistants

Security researchers disclosed a vulnerability in Context7’s Model Context Protocol (MCP) server that could allow malicious instructions to reach AI coding assistants through trusted documentation channels. The flaw, called ContextCrush, enabled attackers to embed harmful commands within developer library documentation delivered to AI tools.

Because the instructions arrived through a trusted MCP integration, AI assistants could interpret them as legitimate guidance and execute actions such as file deletion or data exfiltration on developers’ systems. (scworld.com)

What We Know

Security researchers from Noma Labs disclosed a vulnerability affecting Context7, a documentation platform operated by Upstash that distributes programming library information to AI coding assistants through the Model Context Protocol (MCP). (Infosecurity Magazine)

Context7 has become widely used in modern AI-assisted development workflows. It enables integrated development environment tools such as Cursor, Claude Code, and Windsurf to retrieve up-to-date documentation and AI-specific instructions directly from a centralized registry. (prismnews.com)

The vulnerability stemmed from the platform’s “Custom Rules” feature. This feature allowed library maintainers to include guidance designed to help AI assistants interpret documentation correctly. Researchers discovered that these rules were delivered verbatim through the Context7 MCP server without sanitization or filtering.

An attacker could therefore register a library in the Context7 registry and embed malicious instructions inside the Custom Rules section. When developers queried that library through their AI assistant, the poisoned instructions would be inserted directly into the model’s working context.

Because AI agents often treat documentation sources as trusted inputs, the instructions could be interpreted as legitimate tasks and executed using the developer’s local permissions. Researchers demonstrated that such instructions could search for sensitive files, transmit their contents to an attacker-controlled repository, or delete local files.

Upstash acknowledged the issue and deployed mitigations including rule filtering and additional safeguards. At the time of disclosure, there was no evidence the vulnerability had been exploited in real-world attacks. (SC Media)

What Could Happen

The ContextCrush vulnerability represents a new form of indirect prompt injection and AI supply chain attack. Rather than compromising the AI system directly, attackers manipulate external information sources that the AI trusts.

In this case, the attack chain begins when a malicious actor publishes a library entry on the Context7 platform. The attacker inserts harmful instructions into the Custom Rules field, which is intended to guide AI assistants when interpreting documentation. Because the platform previously delivered these rules without sanitization, the MCP server would distribute them to any AI assistant that queried the library.

When a developer asks their AI coding assistant for help with that library, the assistant retrieves documentation and rules from Context7 through the MCP integration. The malicious instructions are inserted into the model’s prompt context alongside legitimate documentation.

AI agents running inside development environments often have access to powerful tools, including file systems, package managers, and code execution environments. The injected instructions could therefore direct the AI to search for sensitive files, transmit secrets, modify project files, or delete data under the guise of legitimate tasks.

This attack does not require direct access to the victim system. Instead, it leverages trusted supply chain infrastructure to deliver the malicious instructions automatically whenever developers query the affected library.

Why It Matters

The ContextCrush vulnerability highlights an emerging security risk in agent-driven AI development environments. As AI coding assistants gain deeper access to developer tools and local systems, the impact of compromised context sources increases significantly.

Traditional software supply chain attacks typically target package repositories or build pipelines. In this case, the attack vector targeted the contextual knowledge sources that AI agents rely on to interpret instructions and generate actions. Because these instructions appear within trusted documentation channels, they can bypass many traditional security controls.

If exploited, such attacks could expose sensitive developer artifacts such as API keys, environment variables, or proprietary source code. Developers frequently store credentials in configuration files or .env files within project directories, making them attractive targets for automated exfiltration attempts.

Beyond individual systems, the risk also extends to organizations relying on AI-assisted development pipelines. Compromised AI agents could introduce malicious code into repositories, leak intellectual property, or tamper with build artifacts.

The incident also illustrates a broader governance challenge for AI ecosystems built on protocols such as MCP. These architectures allow models to autonomously access external tools and information sources. Without strict validation and trust boundaries, malicious inputs can propagate across AI workflows and trigger unintended system actions.

PointGuard AI Perspective

The ContextCrush incident demonstrates how modern AI applications inherit security risks from their surrounding ecosystem. AI agents are no longer isolated models. They operate as orchestrators that consume external documentation, APIs, and tools, often with high levels of automation and system access.

PointGuard AI addresses this risk by providing continuous visibility into the AI supply chain and enforcing governance controls across model interactions, data sources, and tool integrations.

First, PointGuard AI maintains a comprehensive AI SBOM and dependency graph for AI systems. This allows organizations to identify external sources that influence model behavior, including documentation registries, tool providers, and orchestration frameworks such as MCP. By mapping these dependencies, security teams can detect untrusted or newly introduced context sources before they impact production environments.

Second, PointGuard AI performs continuous risk monitoring across AI workflows. Behavioral analysis identifies abnormal model actions, such as attempts to access sensitive files or invoke unusual tools in response to external context. These signals help detect prompt injection or tool-poisoning attacks before sensitive data is exposed.

Third, policy enforcement mechanisms allow organizations to restrict high-risk model actions. For example, organizations can enforce rules that block AI agents from accessing credential files, exporting sensitive data, or executing system-level operations without human approval.

As AI agents become more integrated into software development and enterprise workflows, security must evolve from static model testing to continuous operational oversight. Platforms like PointGuard AI enable organizations to adopt AI confidently while maintaining visibility, control, and resilience against emerging AI supply chain threats.

Incident Scorecard Details

Total AISSI Score: 6.3/10

Criticality = 7, AI coding assistants can access sensitive developer environments and source code repositories. AISSI weighting: 25%

Propagation = 7, vulnerability occurs in a widely used MCP documentation server that distributes context across many AI developer tools. AISSI weighting: 20%

Exploitability = 4, proof-of-concept demonstrated but no confirmed real-world exploitation reported. AISSI weighting: 15%

Supply Chain = 8, vulnerability originates in a third-party platform delivering instructions to AI agents across the development ecosystem. AISSI weighting: 15%

Business Impact = 5, potential for sensitive data exposure and developer environment compromise, but no confirmed real-world impact at disclosure. AISSI weighting: 25%

Sources

SC World
https://www.scworld.com/brief/context7-mcp-server-flaw-could-allow-malicious-instructions-for-ai-assistants

Infosecurity Magazine
https://www.infosecurity-magazine.com/news/contextcrush-ai-development-tools/

Prism News
https://www.prismnews.com/news/contextcrush-flaw-let-poisoned-docs-hijack-ai-coding-assistants