Submeter #621376: agentuniverse-ai agentUniverse v0.0.18 OS Command Injectioninformação

Títuloagentuniverse-ai agentUniverse v0.0.18 OS Command Injection
DescriçãoCritical Remote Code Execution (RCE) vulnerabilities exist in the AgentUniverse framework's MCP (Model Context Protocol) implementation. The vulnerabilities allow arbitrary command execution through insufficient input validation in multiple components including MCPSessionManager, MCPTool, and MCPToolkit. When establishing connections to MCP servers, user-controlled input is directly passed to `StdioServerParameters` and subsequently to `anyio.open_process()` without any sanitization or validation, enabling attackers to execute arbitrary system commands with the privileges of the AgentUniverse process.
Fonte⚠️ https://github.com/bayuncao-bit/vul-37
Utilizador
 bayuncao (UID 50143)
Submissão23/07/2025 09h14 (há 9 meses)
Moderação07/08/2025 12h46 (15 days later)
EstadoAceite
Entrada VulDB319127 [agentUniverse até 0.0.18 MCPSessionManager/MCPTool/MCPToolkit StdioServerParameters Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!