| Title | FoundationAgents MetaGPT 0.8.1 OS Command Injection (CWE-78) |
|---|
| Description | # Technical Details
An OS Command Injection vulnerability exists in the Terminal.run_command() function of MetaGPT (metagpt/tools/libs/terminal.py).
The Terminal class is registered as an LLM-callable tool via the @register_tool() decorator, allowing the LLM to directly invoke this method. The run_command() method attempts to implement a blocklist via self.forbidden_commands, but it only filters two specific strings ("run dev" and "serve "), allowing virtually any dangerous command (e.g., rm -rf /, curl | bash) to bypass the filter and be executed in a persistent bash shell via self.process.stdin.write().
# Vulnerable Code
File: metagpt/tools/libs/terminal.py
Method: Terminal.run_command()
Why: The blocklist is woefully incomplete and fails to restrict arbitrary OS command execution, writing user/LLM-supplied input directly to a shell process stdin.
# Reproduction
1. Initialize the Terminal tool in a MetaGPT script.
2. Formulate a payload that avoids the strings "run dev" and "serve ", such as:
id > /tmp/terminal_rce_proof.txt
3. Call Terminal().run_command("id > /tmp/terminal_rce_proof.txt").
4. Verify /tmp/terminal_rce_proof.txt is created with command output.
# Impact
- Remote Code Execution (RCE): Through LLM prompt injection, an attacker can influence the tool invocation to execute arbitrary systemic commands, leading to full system compromise including data exfiltration and malware installation.
|
|---|
| Source | ⚠️ https://github.com/FoundationAgents/MetaGPT/issues/1929 |
|---|
| User | Eric-c (UID 96848) |
|---|
| Submission | 03/28/2026 04:03 (13 days ago) |
|---|
| Moderation | 04/09/2026 14:04 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 356526 [FoundationAgents MetaGPT up to 0.8.1 terminal.py Terminal.run_command os command injection] |
|---|
| Points | 20 |
|---|