| Title | FoundationAgents MetaGPT 0.8.1 OS Command Injection (CWE-78) |
|---|
| Description | # Technical Details
An OS Command Injection vulnerability exists in MetaGPT due to the Bash class being registered as an LLM-callable tool via the @register_tool(include_functions=["run"]) decorator.
The Bash class (located in metagpt/tools/libs/terminal.py) is designed to run bash commands directly. By exposing its run() method to LLM agents, it allows these agents to execute arbitrary bash commands without any meaningful security restrictions.
# Vulnerable Code
File: metagpt/tools/libs/terminal.py
Method: Bash.run()
Why: The class is explicitly registered as a tool (@register_tool). Its run() method takes an LLM-provided string and passes it directly to self.run_command(cmd), which writes the command to a persistent bash process.
# Reproduction
1. Initialize the Bash tool in a MetaGPT script.
2. Formulate a prompt injection payload that instructs the LLM to call the tool with a malicious command:
Bash().run("id > /tmp/bash_tool_rce_proof.txt")
3. Execute the workflow.
4. Verify /tmp/bash_tool_rce_proof.txt is created with the command output.
# Impact
- Remote Code Execution (RCE): An attacker can supply external input that influences the LLM (Prompt Injection) to invoke the Bash tool with malicious commands. This leads to full system compromise, data exfiltration, and backdoor installation on the host running MetaGPT workflows. |
|---|
| Source | ⚠️ https://github.com/FoundationAgents/MetaGPT/issues/1931 |
|---|
| User | Eric-d (UID 96861) |
|---|
| Submission | 03/28/2026 04:27 (13 days ago) |
|---|
| Moderation | 04/09/2026 14:04 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 356528 [FoundationAgents MetaGPT up to 0.8.1 terminal.py Bash.run os command injection] |
|---|
| Points | 20 |
|---|