| Titel | FoundationAgents MetaGPT 0.8.1 OS Command Injection (CWE-78) |
|---|
| Beschreibung | # Technical Details
An OS Command Injection vulnerability exists in the get_mime_type() function of MetaGPT (metagpt/utils/common.py), which uses shell_execute() with a string command, triggering shell=True in subprocess.
The vulnerability stems from interpolating a user-controlled filename directly into a shell string: shell_execute(f"file --mime-type '{str(filename)}'"). When processing a malicious repository (e.g. via repo_to_markdown()), an attacker can craft a filename containing shell metacharacters like ;, ', or $(), escaping the quotes and injecting OS commands.
# Vulnerable Code
File: metagpt/tools/libs/shell.py
Method: shell_execute()
Why: Sets shell = True if the command is a string.
File: metagpt/utils/common.py
Method: get_mime_type()
Why: await shell_execute(f"file --mime-type '{str(filename)}'") passes unsanitized string directly to the shell.
# Reproduction
1. Create a repository with a maliciously crafted filename: touch "test';id>/tmp/rce_proof;'.txt"
2. Run MetaGPT's repo_to_markdown() or trigger get_mime_type() on this file.
3. The shell executes: file --mime-type 'test' ; id>/tmp/rce_proof ; '.txt'
4. Verify /tmp/rce_proof was created on the system.
# Impact
- Remote Code Execution (RCE): An attacker can supply a malicious repository. When a victim processes this repository with MetaGPT, the malicious filename triggers code execution, allowing full system access, arbitrary file read/write, and data exfiltration.
|
|---|
| Quelle | ⚠️ https://github.com/FoundationAgents/MetaGPT/issues/1930 |
|---|
| Benutzer | Eric-d (UID 96861) |
|---|
| Einreichung | 28.03.2026 04:23 (vor 27 Tagen) |
|---|
| Moderieren | 09.04.2026 14:04 (12 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 356527 [FoundationAgents MetaGPT bis 0.8.1 metagpt/utils/common.py get_mime_type erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|