| Title | FoundationAgents MetaGPT 0.8.1 OS Command Injection (CWE-78) |
|---|
| Description | # Technical Details
An OS Command Injection vulnerability exists in the get_mime_type() function of MetaGPT (metagpt/utils/common.py), which uses shell_execute() with a string command, triggering shell=True in subprocess.
The vulnerability stems from interpolating a user-controlled filename directly into a shell string: shell_execute(f"file --mime-type '{str(filename)}'"). When processing a malicious repository (e.g. via repo_to_markdown()), an attacker can craft a filename containing shell metacharacters like ;, ', or $(), escaping the quotes and injecting OS commands.
# Vulnerable Code
File: metagpt/tools/libs/shell.py
Method: shell_execute()
Why: Sets shell = True if the command is a string.
File: metagpt/utils/common.py
Method: get_mime_type()
Why: await shell_execute(f"file --mime-type '{str(filename)}'") passes unsanitized string directly to the shell.
# Reproduction
1. Create a repository with a maliciously crafted filename: touch "test';id>/tmp/rce_proof;'.txt"
2. Run MetaGPT's repo_to_markdown() or trigger get_mime_type() on this file.
3. The shell executes: file --mime-type 'test' ; id>/tmp/rce_proof ; '.txt'
4. Verify /tmp/rce_proof was created on the system.
# Impact
- Remote Code Execution (RCE): An attacker can supply a malicious repository. When a victim processes this repository with MetaGPT, the malicious filename triggers code execution, allowing full system access, arbitrary file read/write, and data exfiltration.
|
|---|
| Source | ⚠️ https://github.com/FoundationAgents/MetaGPT/issues/1930 |
|---|
| User | Eric-d (UID 96861) |
|---|
| Submission | 03/28/2026 04:23 (14 days ago) |
|---|
| Moderation | 04/09/2026 14:04 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 356527 [FoundationAgents MetaGPT up to 0.8.1 metagpt/utils/common.py get_mime_type os command injection] |
|---|
| Points | 20 |
|---|