RTK improperly trusts project-local filter configuration, allowing silent tampering of command output shown to LLM
Description
RTK (Rust Token Killer) improperly trusts project-local configuration files. In versions prior to 0.32.0, RTK automatically loads .rtk/filters.toml from the working directory with highest priority and without user notification. An attacker can place a malicious filter file in a repository to apply regex-based modifications (e.g., strip_lines_matching) to shell command output before it is shown to the LLM, without any indication that the output has been modified.
This allows attackers to selectively suppress or alter command output (including file contents, diffs, and security scan results) without detection, potentially concealing malicious code during AI-assisted development or review.
Patch
Fixed in v0.32.0 (PRs #623, #625):
.rtk/filters.tomlis now blocked by default when untrusted, with a visible warning:[rtk] WARNING: untrusted project filters — Filters NOT applied. Run rtk trust to review and enable.- SHA-256 hash verification: if the file changes after trust, filters are blocked again until re-reviewed.
- New
rtk trust/rtk untrustcommands for explicit user consent. - Trust store implemented in
src/trust.rs; trust gate added insrc/toml_filter.rs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RTK prior to v0.32.0 silently loads .rtk/filters.toml, allowing attackers to alter command output without detection during AI-assisted development.
Vulnerability
RTK (Rust Token Killer) versions prior to 0.32.0 automatically load .rtk/filters.toml from the working directory with the highest priority and without user notification. This file can define regex-based modifications (e.g., strip_lines_matching) that are applied to shell command output before it is sent to the LLM. The trust boundary is improperly enforced, allowing an attacker to place a malicious filter file in a repository [1][3].
Exploitation
An attacker creates a repository containing a crafted .rtk/filters.toml file. When a victim runs RTK in that repository, the malicious filters are silently loaded and applied to all command outputs. No special network position or authentication is required — only that the victim executes RTK within the affected directory [2][3].
Impact
Successful exploitation allows the attacker to selectively suppress or alter command output, including file contents, diffs, and security scan results, without any indication that the output has been modified. This can conceal malicious code during AI-assisted development or code review, potentially leading to supply-chain compromise [3].
Mitigation
The vulnerability is fixed in RTK v0.32.0 (PRs #623, #625). The fix introduces a trust boundary: untrusted project-local filters are blocked by default with a warning message, SHA-256 hash verification ensures that changes to the file after trust are detected, and new rtk trust / rtk untrust commands provide explicit user consent [2][4]. Users should upgrade to v0.32.0 or later.
- GitHub - rtk-ai/rtk: CLI proxy that reduces LLM token consumption by 60-90% on common dev commands. Single Rust binary, zero dependencies
- security: trust boundary for project-local TOML filters (SA-2025-RTK-002) by pszymkowiak · Pull Request #623 · rtk-ai/rtk
- CVE-2026-45792 - GitHub Advisory Database
- fix: trust boundary followup — TOML key typo + missing meta commands by pszymkowiak · Pull Request #625 · rtk-ai/rtk
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.