Submit #791759: FoundationAgents MetaGPT 0.8.1 Cross Site Request Forgery (CWE-352)info

TitelFoundationAgents MetaGPT 0.8.1 Cross Site Request Forgery (CWE-352)
Beschreibung# Technical Details A Cross-Site Request Forgery (CSRF) vulnerability exists in the Mineflayer HTTP API of MetaGPT (metagpt/environment/minecraft/mineflayer/index.js), leading to unauthenticated Remote Code Execution (RCE). The Express.js server runs locally and exposes a /step endpoint that accepts arbitrary JavaScript code via req.body.code and executes it directly through the unsafe eval() function (evaluateCode()). This endpoint has no authentication checks and lacks CORS protection. Additionally, the server binds to x.x.x.x by default. # Vulnerable Code File: metagpt/environment/minecraft/mineflayer/index.js Method: app.post("/step", ...) & evaluateCode() Why: The server accepts POST requests containing raw JavaScript code and directly interpolates it into an eval() statement without restricting origin (CORS) or verifying the caller's identity. # Reproduction 1. Start the MetaGPT Mineflayer HTTP server locally on port 3000. 2. An attacker hosts a malicious HTML page with JavaScript that performs a blind POST request using fetch('http://127.0.0.1:3000/step', { method: 'POST', body: JSON.stringify({ code: "require('child_process').execSync('touch /tmp/csrf_rce_proof')", programs: "" }), mode: 'no-cors' }). 3. A victim running the Mineflayer server visits the attacker's page. 4. The JavaScript payload executes on the victim's machine. Verify /tmp/csrf_rce_proof exists. # Impact - Remote Code Execution (RCE): An attacker can execute arbitrary system commands, exfiltrate data, or establish a reverse shell simply by tricking the victim into opening a malicious webpage while the Mineflayer environment is running.
Quelle⚠️ https://github.com/FoundationAgents/MetaGPT/issues/1932
Benutzer
 Eric-d (UID 96861)
Einreichung28.03.2026 04:36 (vor 16 Tagen)
Moderieren11.04.2026 09:49 (14 days later)
StatusAkzeptiert
VulDB Eintrag356969 [FoundationAgents MetaGPT bis 0.8.1 Mineflayer HTTP API index.js evaluateCode Cross Site Request Forgery]
Punkte20

ZurückÜbersichtWeiter

Do you want to use VulDB in your project?

Use the official API to access entries easily!