| 제목 | FoundationAgents MetaGPT 0.8.1 OS Command Injection (CWE-78) |
|---|
| 설명 | # Technical Details
An OS Command Injection vulnerability exists in MetaGPT due to the Bash class being registered as an LLM-callable tool via the @register_tool(include_functions=["run"]) decorator.
The Bash class (located in metagpt/tools/libs/terminal.py) is designed to run bash commands directly. By exposing its run() method to LLM agents, it allows these agents to execute arbitrary bash commands without any meaningful security restrictions.
# Vulnerable Code
File: metagpt/tools/libs/terminal.py
Method: Bash.run()
Why: The class is explicitly registered as a tool (@register_tool). Its run() method takes an LLM-provided string and passes it directly to self.run_command(cmd), which writes the command to a persistent bash process.
# Reproduction
1. Initialize the Bash tool in a MetaGPT script.
2. Formulate a prompt injection payload that instructs the LLM to call the tool with a malicious command:
Bash().run("id > /tmp/bash_tool_rce_proof.txt")
3. Execute the workflow.
4. Verify /tmp/bash_tool_rce_proof.txt is created with the command output.
# Impact
- Remote Code Execution (RCE): An attacker can supply external input that influences the LLM (Prompt Injection) to invoke the Bash tool with malicious commands. This leads to full system compromise, data exfiltration, and backdoor installation on the host running MetaGPT workflows. |
|---|
| 원천 | ⚠️ https://github.com/FoundationAgents/MetaGPT/issues/1931 |
|---|
| 사용자 | Eric-d (UID 96861) |
|---|
| 제출 | 2026. 03. 28. AM 04:27 (21 날 ago) |
|---|
| 모더레이션 | 2026. 04. 09. PM 02:04 (12 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 356528 [FoundationAgents MetaGPT 까지 0.8.1 terminal.py Bash.run 권한 상승] |
|---|
| 포인트들 | 20 |
|---|