CVE-2024-6091

Advisory

A critical vulnerability in the ShellCommandExecutor component of the Forge library and significant-gravitas/autogpt affected versions allows attackers to execute arbitrary commands on the host system. The component lacks proper security measures, enabling command injection attacks. Additionally, attackers can bypass shell command denylists by using modified paths (e.g., /bin/./whoami). This vulnerability can lead to unauthorized access, data breaches, or system compromise. Users should avoid the ShellCommandExecutor in production, implement robust sandboxing, update autogpt to the latest version, and review command execution security measures to mitigate these risks.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/advisories/GHSA-g84q-54hf-36rg
• https://huntr.com/bounties/8a742c13-bb5e-4bc9-8b86-049d8a386050
• https://github.com/Significant-Gravitas/AutoGPT/commit/ef691359b774a1f9f80cf4f5ace9821967b718ed
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6091