Submit #621376: agentuniverse-ai agentUniverse v0.0.18 OS Command Injectioninfo

Titelagentuniverse-ai agentUniverse v0.0.18 OS Command Injection
BeschreibungCritical Remote Code Execution (RCE) vulnerabilities exist in the AgentUniverse framework's MCP (Model Context Protocol) implementation. The vulnerabilities allow arbitrary command execution through insufficient input validation in multiple components including MCPSessionManager, MCPTool, and MCPToolkit. When establishing connections to MCP servers, user-controlled input is directly passed to `StdioServerParameters` and subsequently to `anyio.open_process()` without any sanitization or validation, enabling attackers to execute arbitrary system commands with the privileges of the AgentUniverse process.
Quelle⚠️ https://github.com/bayuncao-bit/vul-37
Benutzer
 bayuncao (UID 50143)
Einreichung23.07.2025 09:14 (vor 9 Monaten)
Moderieren07.08.2025 12:46 (15 days later)
StatusAkzeptiert
VulDB Eintrag319127 [agentUniverse bis 0.0.18 MCPSessionManager/MCPTool/MCPToolkit StdioServerParameters erweiterte Rechte]
Punkte20

ZurückÜbersichtWeiter

Do you want to use VulDB in your project?

Use the official API to access entries easily!