| عنوان | FoundationAgents MetaGPT 0.8.1 OS Command Injection (CWE-78) |
|---|
| الوصف | # Technical Details
An OS Command Injection vulnerability exists in the get_mime_type() function of MetaGPT (metagpt/utils/common.py), which uses shell_execute() with a string command, triggering shell=True in subprocess.
The vulnerability stems from interpolating a user-controlled filename directly into a shell string: shell_execute(f"file --mime-type '{str(filename)}'"). When processing a malicious repository (e.g. via repo_to_markdown()), an attacker can craft a filename containing shell metacharacters like ;, ', or $(), escaping the quotes and injecting OS commands.
# Vulnerable Code
File: metagpt/tools/libs/shell.py
Method: shell_execute()
Why: Sets shell = True if the command is a string.
File: metagpt/utils/common.py
Method: get_mime_type()
Why: await shell_execute(f"file --mime-type '{str(filename)}'") passes unsanitized string directly to the shell.
# Reproduction
1. Create a repository with a maliciously crafted filename: touch "test';id>/tmp/rce_proof;'.txt"
2. Run MetaGPT's repo_to_markdown() or trigger get_mime_type() on this file.
3. The shell executes: file --mime-type 'test' ; id>/tmp/rce_proof ; '.txt'
4. Verify /tmp/rce_proof was created on the system.
# Impact
- Remote Code Execution (RCE): An attacker can supply a malicious repository. When a victim processes this repository with MetaGPT, the malicious filename triggers code execution, allowing full system access, arbitrary file read/write, and data exfiltration.
|
|---|
| المصدر | ⚠️ https://github.com/FoundationAgents/MetaGPT/issues/1930 |
|---|
| المستخدم | Eric-d (UID 96861) |
|---|
| ارسال | 28/03/2026 04:23 AM (29 أيام منذ) |
|---|
| الاعتدال | 09/04/2026 02:04 PM (12 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 356527 [FoundationAgents MetaGPT حتى 0.8.1 metagpt/utils/common.py get_mime_type تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|