Perplexity has dismissed a critical Remote Code Execution (RCE) vulnerability report as “fake news,” even as researchers claim the company quietly patched the flaw this week.
Cybersecurity firm SquareX alleges that the Comet browser’s undocumented MCP API allowed attackers to bypass sandboxing and hijack devices.
This represents a significant leap in severity from the indirect prompt injection flaws reported in August. While Perplexity insists the exploit requires implausible user intervention, evidence suggests a silent update on November 20 disabled the vulnerable feature entirely.
‘Fake News’ vs. Silent Patch
SquareX researchers formally submitted the vulnerability report via Bugcrowd’s Vulnerability Disclosure Program (VDP) on November 4, 2025. Rather than following standard industry protocols, acknowledging the report, verifying the findings, and crediting the researchers upon patching, Perplexity’s response bypassed technical engagement entirely.
Fueling the controversy, the company launched a direct attack on the researchers’ credibility. Spokesperson Jesse Dwyer categorically denied the validity of the findings in a statement to TechRadar, stating that “This is SquareX’s second time presenting false security research. The first one we also proved was false.”
Perplexity’s primary defense rests on the claim that the exploit is theoretically impossible without extreme user intervention. Dwyer argued that “to replicate this, the human user must turn on developer mode and manually sideload malware into Comet.”
Contradicting this stance, SquareX asserts the vulnerability was accessible via default embedded extensions that ship with the browser. According to SquareX Labs, these extensions required no user interaction once the browser was compromised.
Evidence suggests a silent update was reportedly deployed on November 20, disabling the controversial MCP API just days before the public denial. Such urgent action raises serious questions about transparency. If the vulnerability was indeed “fake,” the immediate disablement of the feature appears contradictory.
SquareX maintains that “users are no longer vulnerable to exploitation via the MCP API.” Handling the disclosure in this manner deviates sharply from industry norms, where vendors typically prioritize collaborative remediation over public disputes.
Anatomy of the Attack: Breaking the Sandbox
Central to the researchers’ findings lies an undocumented Model Context Protocol (MCP) API, specifically `chrome.perplexity.mcp.addStdioServer`.
Unlike traditional browser extensions which are strictly sandboxed to prevent system-level access, this API allegedly granted embedded extensions the ability to execute arbitrary local commands.
The SquareX disclosure document explicitly defined the scope of the flaw:
“Our research reveals that Comet has implemented an MCP API that allows its embedded extensions to execute arbitrary local commands on host devices without explicit user permission.”
SquareX warns that this architecture effectively bypasses the Native Messaging API restrictions that Chrome, Firefox, and Safari use to prevent exactly this type of system-level compromise.
By default, Comet includes two hidden extensions, `comet-agent` and `comet-analytics`, which are not visible in the standard `comet://extensions` dashboard. Researchers utilized a technique known as “extension stomping” to impersonate these privileged extensions and gain access to the API.
Demonstrating the severity of the flaw, the Proof-of-Concept (PoC) showed the ability to launch “Wannacry” ransomware on a host machine. Such a significant failure of browser isolation transforms the browser from a passive tool into a potential “insider threat” capable of executing code with the user’s full system privileges.
SquareX researchers noted that “the MCP API essentially allows AI Browser vendors to grant themselves, and potentially third parties in the future full access to devices.”
The ‘Agentic’ Risk: A Pattern of Security Lapses
This marks the second major security controversy for Perplexity in recent months. It follows previous reporting on Brave’s discovery involving “indirect prompt injection” flaws in Comet earlier this year.
Recurring across these incidents is the theme of “Agentic AI”, browsers designed to act on the user’s behalf, clashing with established security boundaries.
In its defense, Perplexity emphasized its consent protocols in a statement to TechRadar:
“When installing local MCPs we require user consent–users are the ones setting it up and calling the MCP API. They specify exactly what command to run.”
“Any additional command from the MCP (ex. AI tool calling) also requires user confirmation.”
Critics argue that Perplexity is prioritizing feature velocity over security architecture, shipping powerful capabilities without adequate guardrails. Kabilan Sakthivel, a researcher at SquareX, warned that this approach “reverses the clock on decades of browser security principles established by vendors like Chrome, Safari and Firefox.”
Adopting a “shoot the messenger” strategy, first disputing Brave’s findings, now attacking SquareX, suggests a reluctance to engage with the security community.
Comparisons are being drawn to OpenAI’s admission regarding its Atlas browser, where prompt injection was acknowledged as an “unsolved problem,” though OpenAI opted for transparency over denial.
Heightening the stakes is Perplexity’s aggressive market expansion, including the recent launch of its Comet Android browser version. Security experts warn that normalizing “silent patches” and attacking researchers could discourage future responsible disclosures, leaving users vulnerable to zero-day exploits.
