जमा करें #791758: FoundationAgents MetaGPT 0.8.1 OS Command Injection (CWE-78)जानकारी

शीर्षकFoundationAgents MetaGPT 0.8.1 OS Command Injection (CWE-78)
विवरण# Technical Details An OS Command Injection vulnerability exists in MetaGPT due to the Bash class being registered as an LLM-callable tool via the @register_tool(include_functions=["run"]) decorator. The Bash class (located in metagpt/tools/libs/terminal.py) is designed to run bash commands directly. By exposing its run() method to LLM agents, it allows these agents to execute arbitrary bash commands without any meaningful security restrictions. # Vulnerable Code File: metagpt/tools/libs/terminal.py Method: Bash.run() Why: The class is explicitly registered as a tool (@register_tool). Its run() method takes an LLM-provided string and passes it directly to self.run_command(cmd), which writes the command to a persistent bash process. # Reproduction 1. Initialize the Bash tool in a MetaGPT script. 2. Formulate a prompt injection payload that instructs the LLM to call the tool with a malicious command: Bash().run("id > /tmp/bash_tool_rce_proof.txt") 3. Execute the workflow. 4. Verify /tmp/bash_tool_rce_proof.txt is created with the command output. # Impact - Remote Code Execution (RCE): An attacker can supply external input that influences the LLM (Prompt Injection) to invoke the Bash tool with malicious commands. This leads to full system compromise, data exfiltration, and backdoor installation on the host running MetaGPT workflows.
स्रोत⚠️ https://github.com/FoundationAgents/MetaGPT/issues/1931
उपयोगकर्ता Eric-d (UID 96861)
सबमिशन28/03/2026 04:27 AM (4 महीनों पहले)
संयम09/04/2026 02:04 PM (12 days later)
स्थितिस्वीकृत
VulDB प्रविष्टि356528 [FoundationAgents MetaGPT तक 0.8.1 terminal.py Bash.run अधिकार वृद्धि]
अंक20

Do you want to use VulDB in your project?

Use the official API to access entries easily!