A critical vulnerability affecting the Context7 MCP Server, a widely used tool for delivering documentation to AI coding assistants, has been disclosed by security researchers.
The issue, dubbed ContextCrush, could allow attackers to inject malicious instructions into AI development tools through a trusted documentation channel.
The flaw was discovered by Noma Labs researchers in the Context7 platform operated by Upstash. Context7 is used by developers to provide AI assistants such as Cursor, Claude Code and Windsurf with up-to-date library documentation directly inside integrated development environments.
With around 50,000 GitHub stars and more than 8 million npm downloads, the server has become a common component in AI-assisted development workflows.
How the ContextCrush Vulnerability Works
The issue stems from the platform’s “Custom Rules” feature, which allows library maintainers to provide AI-specific instructions to help assistants better interpret documentation. Researchers found these instructions were delivered to AI agents exactly as submitted, without filtering or sanitization.
Because the instructions were transmitted through a trusted MCP server, AI agents could interpret them as legitimate guidance and execute them with the permissions available on a developer’s machine.
Read more on AI supply chain security: Huge “Shadow Layer” of Organizations Hit by Supply Chain Attacks
In practice, this meant attackers could plant malicious rules within the documentation registry and rely on Context7’s infrastructure to distribute them to developers’ AI tools. The attack did not require direct interaction with a victim system.
The researchers outlined a typical attack chain:
-
Register a new library using a GitHub account on Context7
-
Insert malicious instructions into the Custom Rules section
-
Wait for developers to query the library through their AI coding assistant
When triggered, the injected instructions could cause the AI assistant to perform harmful actions using its existing system access.
Demonstrated Impact and Security Concerns
During testing, the researchers demonstrated how a poisoned library entry could compromise a development environment.
The AI assistant was instructed to search for sensitive .env files, transmit their contents to an attacker-controlled repository and then delete local files under the pretext of performing a Cleanup task. Because the commands were delivered alongside legitimate documentation, the AI agent had no reliable way to differentiate them.
Security analysts warn that the architecture of MCP servers creates an inherent trust problem. Tools that aggregate user-generated content and deliver it through a trusted channel can unintentionally transform documentation into executable instructions for AI agents.
Noma Labs researchers also highlighted that signals such as GitHub reputation, popularity rankings and trust scores can be manipulated, potentially allowing malicious libraries to appear credible.
Following disclosure on February 18, Upstash began remediation the next day and deployed a fix on February 23, introducing rule sanitisation and additional safeguards for the platform. There is no evidence that the flaw was exploited in real-world attacks.