| Title | FoundationAgents MetaGPT 0.8.1 Code Injection (CWE-94) |
|---|
| Description | # Technical Details
A Code Injection vulnerability exists in the `run_code` function in `metagpt/ext/aflow/scripts/operator.py` of MetaGPT.
The application fails to properly sandbox Python code execution. It uses an incomplete blocklist mechanism that checks for simple strings like `import os`. This is easily bypassed by using dynamic import methods like `__import__` or `importlib`.
# Vulnerable Code
File: metagpt/ext/aflow/scripts/operator.py
Method: run_code()
Why: The security check only looks for string literals "import {lib}" or "from {lib}", failing to block `__import__('os')` and allowing arbitrary execution via `exec()`.
# Reproduction
1. Create a malicious payload that avoids the literal string "import os", such as:
`def solve(): __import__('os').system('touch /tmp/bypass_proof')`
2. Pass this payload to the `run_code` function in `operator.py`.
3. The blocklist is bypassed and `exec()` executes the payload.
4. Verify `/tmp/bypass_proof` exists on the host.
# Impact
- Remote Code Execution: An attacker influencing LLM outputs can execute arbitrary OS commands, leading to complete control over the host running the MetaGPT instance. |
|---|
| Source | ⚠️ https://github.com/FoundationAgents/MetaGPT/issues/1926 |
|---|
| User | Eric-y (UID 95889) |
|---|
| Submission | 03/28/2026 03:17 (14 days ago) |
|---|
| Moderation | 04/09/2026 14:04 (12 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 352080 [Foundation Agents MetaGPT up to 0.8.1 operator.py code_generate code injection] |
|---|
| Points | 0 |
|---|