| 제목 | agentuniverse-ai agentUniverse v0.0.18 OS Command Injection |
|---|
| 설명 | Critical Remote Code Execution (RCE) vulnerabilities exist in the AgentUniverse framework's MCP (Model Context Protocol) implementation. The vulnerabilities allow arbitrary command execution through insufficient input validation in multiple components including MCPSessionManager, MCPTool, and MCPToolkit. When establishing connections to MCP servers, user-controlled input is directly passed to `StdioServerParameters` and subsequently to `anyio.open_process()` without any sanitization or validation, enabling attackers to execute arbitrary system commands with the privileges of the AgentUniverse process. |
|---|
| 원천 | ⚠️ https://github.com/bayuncao-bit/vul-37 |
|---|
| 사용자 | bayuncao (UID 50143) |
|---|
| 제출 | 2025. 07. 23. AM 09:14 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 07. PM 12:46 (15 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 319127 [agentUniverse 까지 0.0.18 MCPSessionManager/MCPTool/MCPToolkit StdioServerParameters 권한 상승] |
|---|
| 포인트들 | 20 |
|---|