| タイトル | FoundationAgents MetaGPT 0.8.1 OS Command Injection (CWE-78) |
|---|
| 説明 | # Technical Details
An OS Command Injection vulnerability exists in the get_mime_type() function of MetaGPT (metagpt/utils/common.py), which uses shell_execute() with a string command, triggering shell=True in subprocess.
The vulnerability stems from interpolating a user-controlled filename directly into a shell string: shell_execute(f"file --mime-type '{str(filename)}'"). When processing a malicious repository (e.g. via repo_to_markdown()), an attacker can craft a filename containing shell metacharacters like ;, ', or $(), escaping the quotes and injecting OS commands.
# Vulnerable Code
File: metagpt/tools/libs/shell.py
Method: shell_execute()
Why: Sets shell = True if the command is a string.
File: metagpt/utils/common.py
Method: get_mime_type()
Why: await shell_execute(f"file --mime-type '{str(filename)}'") passes unsanitized string directly to the shell.
# Reproduction
1. Create a repository with a maliciously crafted filename: touch "test';id>/tmp/rce_proof;'.txt"
2. Run MetaGPT's repo_to_markdown() or trigger get_mime_type() on this file.
3. The shell executes: file --mime-type 'test' ; id>/tmp/rce_proof ; '.txt'
4. Verify /tmp/rce_proof was created on the system.
# Impact
- Remote Code Execution (RCE): An attacker can supply a malicious repository. When a victim processes this repository with MetaGPT, the malicious filename triggers code execution, allowing full system access, arbitrary file read/write, and data exfiltration.
|
|---|
| ソース | ⚠️ https://github.com/FoundationAgents/MetaGPT/issues/1930 |
|---|
| ユーザー | Eric-d (UID 96861) |
|---|
| 送信 | 2026年03月28日 04:23 (1 月 ago) |
|---|
| モデレーション | 2026年04月09日 14:04 (12 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 356527 [FoundationAgents MetaGPT 迄 0.8.1 metagpt/utils/common.py get_mime_type 特権昇格] |
|---|
| ポイント | 20 |
|---|