| 标题 | letta-ai letta 0.16.4 CWE-95 |
|---|
| 描述 | # Technical Details
A Remote Code Execution (RCE) vulnerability exists via eval() injection in the type annotation coercion mechanism of Letta. This is an incomplete fix for CVE-2025-6101.
The patch for CVE-2025-6101 introduced a safe AST-based type resolver but kept an eval() fallback behind an allow_unsafe_eval flag. Although this flag defaults to False in the resolve_type() signature in letta/functions/ast_parsers.py (lines 55-86), it is hardcoded to True in the sandbox execution paths that call it. When a tool is executed, Letta coerces JSON arguments into Python types by evaluating their type annotations. An attacker can provide a malicious Python expression as a type annotation that bypasses the AST resolver and triggers the eval() fallback.
# Vulnerable Code
File: letta/functions/ast_parsers.py (lines 55-86)
Method: resolve_type()
Why: Uses eval(annotation, python_types) when allow_unsafe_eval=True. The python_types namespace includes vars(builtins), providing access to dangerous functions like __import__.
File: letta/functions/helpers.py (in process_tool_arguments)
Why: Calls resolve_type with allow_unsafe_eval=True hardcoded.
# Reproduction
1. Deploy Letta v0.16.4.
2. Define a tool with a malicious type annotation:
Example: def pxc(cmd: '__import__("os").popen("id").read()'): pass
3. Submit the tool and trigger its execution via POST /v1/tools/run.
4. The server evaluates the annotation during type coercion, executing the injected code.
# Impact
- Full Remote Code Execution (RCE) on the server.
- Unauthenticated access to the underlying OS.
- Potential for full system compromise. |
|---|
| 来源 | ⚠️ https://gist.github.com/YLChen-007/fc09bc447a73bba526c1642d9ce73ca5 |
|---|
| 用户 | Eric-z (UID 95890) |
|---|
| 提交 | 2026-03-11 14時45分 (18 日前) |
|---|
| 管理 | 2026-03-27 09時23分 (16 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 353842 [letta-ai letta 0.16.4 Incomplete Fix CVE-2025-6101 ast_parsers.py resolve_type 远程代码执行] |
|---|
| 积分 | 20 |
|---|