| 标题 | AgentScope <= 1.0.18 Code Injection (CWE-94) |
|---|
| 描述 |
# Technical Details
A Code Injection/Remote Code Execution vulnerability exists in the `execute_python_code` and `execute_shell_command` methods in `src/agentscope/tool/_coding/_python.py` and `src/agentscope/tool/_coding/_shell.py` of AgentScope.
The application fails to sandbox or isolate the execution environment and directly passes LLM-generated arguments to subprocess execution without inspection or validation.
# Vulnerable Code
File: src/agentscope/tool/_coding/_python.py and src/agentscope/tool/_coding/_shell.py
Method: execute_python_code and execute_shell_command
Why: The functions write provided code strings to a temp file and execute them via subprocess (`asyncio.create_subprocess_exec` and `asyncio.create_subprocess_shell`) with full inheritance of the server process environment (`os.environ.copy()`) and zero sandboxing or privilege dropping.
# Reproduction
1. Deploy a ReActAgent with code execution tools (`execute_python_code`, `execute_shell_command`) exposed over HTTP, following the official patterns.
2. Send a prompt injection crafted payload via HTTP POST to the agent's chat endpoint instructing it to use `execute_python_code` to evaluate arbitrary Python code (e.g., retrieving system info).
3. The LLM processes the injected prompt and generates a tool call containing the malicious payload, which is directly executed by the server, resulting in RCE and environment variable exfiltration.
# Impact
- Arbitrary Code Execution
- Environment Variable Exfiltration (API keys, database credentials)
- Internal network lateral movement
- Data destruction or server compromise |
|---|
| 来源 | ⚠️ https://gist.github.com/YLChen-007/c084d69aaeda6729f3988603f2b0ce6e |
|---|
| 用户 | Eric-f (UID 96873) |
|---|
| 提交 | 2026-03-29 05時27分 (28 日前) |
|---|
| 管理 | 2026-04-19 16時12分 (21 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 358238 [modelscope agentscope 直到 1.0.18 _python.py execute_python_code/execute_shell_command 权限提升] |
|---|
| 积分 | 20 |
|---|