ContextCrush Vulnerability in Context7 MCP Server

First reported

05.03.2026 16:00

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A critical vulnerability, dubbed ContextCrush, in the Context7 MCP Server allows attackers to inject malicious instructions into AI development tools through trusted documentation channels. The flaw stems from unfiltered 'Custom Rules' that are delivered to AI agents without sanitization. The vulnerability could enable attackers to compromise development environments by executing harmful actions using the permissions of AI coding assistants. The issue was discovered by Noma Labs researchers and patched by Upstash on February 23, 2026.

Timeline

05.03.2026 16:00 1 articles · 3h ago

ContextCrush Vulnerability in Context7 MCP Server Disclosed and Patched
On February 18, 2026, Noma Labs researchers disclosed the ContextCrush vulnerability in the Context7 MCP Server. The flaw allows attackers to inject malicious instructions into AI development tools through trusted documentation channels. Upstash began remediation on February 19, 2026, and deployed a fix on February 23, 2026, introducing rule sanitization and additional safeguards. There is no evidence that the flaw was exploited in real-world attacks.
Show sources

ContextCrush Flaw Exposes AI Development Tools to Attacks — www.infosecurity-magazine.com — 05.03.2026 16:00
Open in new tab

Information Snippets

ContextCrush affects the Context7 MCP Server, a tool used to deliver documentation to AI coding assistants like Cursor, Claude Code, and Windsurf.
First reported: 05.03.2026 16:00

1 source, 1 article
Show sources
- ContextCrush Flaw Exposes AI Development Tools to Attacks — www.infosecurity-magazine.com — 05.03.2026 16:00
The vulnerability arises from the 'Custom Rules' feature, which allows library maintainers to provide AI-specific instructions without proper filtering or sanitization.
First reported: 05.03.2026 16:00

1 source, 1 article
Show sources
- ContextCrush Flaw Exposes AI Development Tools to Attacks — www.infosecurity-magazine.com — 05.03.2026 16:00
Attackers can register a new library on Context7, insert malicious instructions, and wait for developers to query the library through their AI coding assistant.
First reported: 05.03.2026 16:00

1 source, 1 article
Show sources
- ContextCrush Flaw Exposes AI Development Tools to Attacks — www.infosecurity-magazine.com — 05.03.2026 16:00
The flaw does not require direct interaction with a victim system, as the malicious instructions are distributed through Context7's infrastructure.
First reported: 05.03.2026 16:00

1 source, 1 article
Show sources
- ContextCrush Flaw Exposes AI Development Tools to Attacks — www.infosecurity-magazine.com — 05.03.2026 16:00
Researchers demonstrated that poisoned library entries could compromise development environments by instructing AI assistants to search for and exfiltrate sensitive files.
First reported: 05.03.2026 16:00

1 source, 1 article
Show sources
- ContextCrush Flaw Exposes AI Development Tools to Attacks — www.infosecurity-magazine.com — 05.03.2026 16:00
Upstash began remediation on February 19, 2026, and deployed a fix on February 23, 2026, introducing rule sanitization and additional safeguards.
First reported: 05.03.2026 16:00

1 source, 1 article
Show sources
- ContextCrush Flaw Exposes AI Development Tools to Attacks — www.infosecurity-magazine.com — 05.03.2026 16:00
There is no evidence that the flaw was exploited in real-world attacks.
First reported: 05.03.2026 16:00

1 source, 1 article
Show sources
- ContextCrush Flaw Exposes AI Development Tools to Attacks — www.infosecurity-magazine.com — 05.03.2026 16:00

Summary

Timeline

ContextCrush Vulnerability in Context7 MCP Server Disclosed and Patched

Information Snippets