Vulnerabilites related to agpt - autogpt_classic
Vulnerability from fkie_nvd
Published
2024-06-06 19:15
Modified
2025-08-05 15:35
Severity ?
Summary
An OS command injection vulnerability exists in the MacOS Text-To-Speech class MacOSTTS of the significant-gravitas/autogpt project, affecting versions up to v0.5.0. The vulnerability arises from the improper neutralization of special elements used in an OS command within the `_speech` method of the MacOSTTS class. Specifically, the use of `os.system` to execute the `say` command with user-supplied text allows for arbitrary code execution if an attacker can inject shell commands. This issue is triggered when the AutoGPT instance is run with the `--speak` option enabled and configured with `TEXT_TO_SPEECH_PROVIDER=macos`, reflecting back a shell injection snippet. The impact of this vulnerability is the potential execution of arbitrary code on the instance running AutoGPT. The issue was addressed in version 5.1.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669 | Patch | |
| security@huntr.dev | https://huntr.com/bounties/4e742624-8771-4f3c-9634-3eaf33d6d58e | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.com/bounties/4e742624-8771-4f3c-9634-3eaf33d6d58e | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| agpt | autogpt_classic | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:agpt:autogpt_classic:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83C6A7E4-7072-4D6E-906A-DF8BFCF0C2EE",
"versionEndExcluding": "0.5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An OS command injection vulnerability exists in the MacOS Text-To-Speech class MacOSTTS of the significant-gravitas/autogpt project, affecting versions up to v0.5.0. The vulnerability arises from the improper neutralization of special elements used in an OS command within the `_speech` method of the MacOSTTS class. Specifically, the use of `os.system` to execute the `say` command with user-supplied text allows for arbitrary code execution if an attacker can inject shell commands. This issue is triggered when the AutoGPT instance is run with the `--speak` option enabled and configured with `TEXT_TO_SPEECH_PROVIDER=macos`, reflecting back a shell injection snippet. The impact of this vulnerability is the potential execution of arbitrary code on the instance running AutoGPT. The issue was addressed in version 5.1.0."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en la clase MacOSTTS Text-To-Speech de MacOS del proyecto significant-gravitas/autogpt, que afecta a las versiones hasta la v0.5.0. La vulnerabilidad surge de la neutralizaci\u00f3n inadecuada de elementos especiales utilizados en un comando del sistema operativo dentro del m\u00e9todo `_speech` de la clase MacOSTTS. Espec\u00edficamente, el uso de `os.system` para ejecutar el comando `say` con texto proporcionado por el usuario permite la ejecuci\u00f3n de c\u00f3digo arbitrario si un atacante puede inyectar comandos de shell. Este problema se activa cuando la instancia de AutoGPT se ejecuta con la opci\u00f3n `--speak` habilitada y configurada con `TEXT_TO_SPEECH_PROVIDER=macos`, lo que refleja un fragmento de inyecci\u00f3n de shell. El impacto de esta vulnerabilidad es la posible ejecuci\u00f3n de c\u00f3digo arbitrario en la instancia que ejecuta AutoGPT. El problema se solucion\u00f3 en la versi\u00f3n 5.1.0."
}
],
"id": "CVE-2024-1880",
"lastModified": "2025-08-05T15:35:27.480",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-06T19:15:51.703",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/4e742624-8771-4f3c-9634-3eaf33d6d58e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/4e742624-8771-4f3c-9634-3eaf33d6d58e"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-11 13:15
Modified
2025-08-05 15:35
Severity ?
Summary
A vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings. The issue arises when the denylist is configured to block specific commands, such as 'whoami' and '/bin/whoami'. An attacker can circumvent this restriction by executing commands with a modified path, such as '/bin/./whoami', which is not recognized by the denylist.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| agpt | autogpt_classic | 0.5.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:agpt:autogpt_classic:0.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F28E8E47-F83A-4354-8A1F-D5D45551CACB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings. The issue arises when the denylist is configured to block specific commands, such as \u0027whoami\u0027 and \u0027/bin/whoami\u0027. An attacker can circumvent this restriction by executing commands with a modified path, such as \u0027/bin/./whoami\u0027, which is not recognized by the denylist."
},
{
"lang": "es",
"value": "Una vulnerabilidad en la versi\u00f3n 0.5.1 de significant-gravitas/autogpt permite a un atacante eludir la configuraci\u00f3n de la lista de denegaci\u00f3n de comandos del shell. El problema surge cuando la lista de denegaci\u00f3n est\u00e1 configurada para bloquear comandos espec\u00edficos, como \"whoami\" y \"/bin/whoami\". Un atacante puede eludir esta restricci\u00f3n ejecutando comandos con una ruta modificada, como \"/bin/./whoami\", que no es reconocida por la lista de denegaci\u00f3n."
}
],
"id": "CVE-2024-6091",
"lastModified": "2025-08-05T15:35:27.480",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-11T13:15:03.440",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/significant-gravitas/autogpt/commit/ef691359b774a1f9f80cf4f5ace9821967b718ed"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/8a742c13-bb5e-4bc9-8b86-049d8a386050"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-06-06 19:15
Modified
2025-08-05 15:35
Severity ?
Summary
AutoGPT, a component of significant-gravitas/autogpt, is vulnerable to an improper neutralization of special elements used in an OS command ('OS Command Injection') due to a flaw in its shell command validation function. Specifically, the vulnerability exists in versions v0.5.0 up to but not including 5.1.0. The issue arises from the application's method of validating shell commands against an allowlist or denylist, where it only checks the first word of the command. This allows an attacker to bypass the intended restrictions by crafting commands that are executed despite not being on the allowlist or by including malicious commands not present in the denylist. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary shell commands.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| agpt | autogpt_classic | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:agpt:autogpt_classic:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A52AEC2-A059-4CA5-A8D8-D5DE045D3612",
"versionEndExcluding": "0.5.1",
"versionStartIncluding": "0.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "AutoGPT, a component of significant-gravitas/autogpt, is vulnerable to an improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) due to a flaw in its shell command validation function. Specifically, the vulnerability exists in versions v0.5.0 up to but not including 5.1.0. The issue arises from the application\u0027s method of validating shell commands against an allowlist or denylist, where it only checks the first word of the command. This allows an attacker to bypass the intended restrictions by crafting commands that are executed despite not being on the allowlist or by including malicious commands not present in the denylist. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary shell commands."
},
{
"lang": "es",
"value": "AutoGPT, un componente de significant-gravitas/autogpt, es vulnerable a una neutralizaci\u00f3n inadecuada de elementos especiales utilizados en un comando del sistema operativo (\u0027Inyecci\u00f3n de comando del sistema operativo\u0027) debido a una falla en su funci\u00f3n de validaci\u00f3n del comando de shell. Espec\u00edficamente, la vulnerabilidad existe en las versiones v0.5.0 hasta la 5.1.0, pero no incluida. El problema surge del m\u00e9todo de la aplicaci\u00f3n para validar los comandos del shell con una lista de permitidos o de denegados, donde solo verifica la primera palabra del comando. Esto permite a un atacante eludir las restricciones previstas creando comandos que se ejecutan a pesar de no estar en la lista de permitidos o incluyendo comandos maliciosos que no est\u00e1n presentes en la lista de prohibidos. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir a un atacante ejecutar comandos de shell arbitrarios."
}
],
"id": "CVE-2024-1881",
"lastModified": "2025-08-05T15:35:27.480",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-06T19:15:51.920",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669"
},
{
"source": "security@huntr.dev",
"tags": [
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-20 10:15
Modified
2025-08-05 15:35
Severity ?
Summary
A command injection vulnerability exists in the workflow-checker.yml workflow of significant-gravitas/autogpt. The untrusted user input `github.head.ref` is used insecurely, allowing an attacker to inject arbitrary commands. This vulnerability affects versions up to and including the latest version. An attacker can exploit this by creating a branch name with a malicious payload and opening a pull request, potentially leading to reverse shell access or theft of sensitive tokens and keys.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| agpt | autogpt_classic | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:agpt:autogpt_classic:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83C6A7E4-7072-4D6E-906A-DF8BFCF0C2EE",
"versionEndExcluding": "0.5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerability exists in the workflow-checker.yml workflow of significant-gravitas/autogpt. The untrusted user input `github.head.ref` is used insecurely, allowing an attacker to inject arbitrary commands. This vulnerability affects versions up to and including the latest version. An attacker can exploit this by creating a branch name with a malicious payload and opening a pull request, potentially leading to reverse shell access or theft of sensitive tokens and keys."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de inyecci\u00f3n de comandos en el flujo de trabajo workflow-checker.yml de significant-gravitas/autogpt. La entrada de usuario no confiable `github.head.ref` se usa de forma insegura, lo que permite a un atacante inyectar comandos arbitrarios. Esta vulnerabilidad afecta a versiones hasta la m\u00e1s reciente. Un atacante puede explotarla creando un nombre de rama con una carga maliciosa y abriendo una solicitud de extracci\u00f3n, lo que podr\u00eda provocar acceso inverso al shell o el robo de tokens y claves confidenciales."
}
],
"id": "CVE-2024-8156",
"lastModified": "2025-08-05T15:35:27.480",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-20T10:15:41.247",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/significant-gravitas/autogpt/commit/1df7d527dd37dff8363dc162fb58d300f072e302"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit"
],
"url": "https://huntr.com/bounties/959efe87-f109-4cef-94d8-90ff2c7aef51"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit"
],
"url": "https://huntr.com/bounties/959efe87-f109-4cef-94d8-90ff2c7aef51"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-06-06 18:15
Modified
2025-08-05 15:35
Severity ?
Summary
A Cross-Site Request Forgery (CSRF) vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a user running AutoGPT in their local network to a malicious website. This site can then send crafted requests to the AutoGPT server, leading to command execution. The issue is exacerbated by CORS being enabled for arbitrary origins by default, allowing the attacker to read the response of all cross-site queries. This vulnerability was addressed in version 5.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| agpt | autogpt_classic | 0.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:agpt:autogpt_classic:0.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6485BCA3-37D6-4350-8510-FE3EDF4CD23E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Request Forgery (CSRF) vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a user running AutoGPT in their local network to a malicious website. This site can then send crafted requests to the AutoGPT server, leading to command execution. The issue is exacerbated by CORS being enabled for arbitrary origins by default, allowing the attacker to read the response of all cross-site queries. This vulnerability was addressed in version 5.1."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en la versi\u00f3n v0.5.0 de significant-gravitas/autogpt permite a los atacantes ejecutar comandos arbitrarios en el servidor AutoGPT. La vulnerabilidad se debe a la falta de protecci\u00f3n en el endpoint API que recibe instrucciones, lo que permite a un atacante dirigir a un usuario que ejecuta AutoGPT en su red local a un sitio web malicioso. Luego, este sitio puede enviar solicitudes manipuladas al servidor AutoGPT, lo que lleva a la ejecuci\u00f3n del comando. El problema se ve agravado por el hecho de que CORS est\u00e1 habilitado para or\u00edgenes arbitrarios de forma predeterminada, lo que permite al atacante leer la respuesta de todas las consultas entre sitios. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 5.1."
}
],
"id": "CVE-2024-1879",
"lastModified": "2025-08-05T15:35:27.480",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-06T18:15:12.827",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/125c2d0c-0481-4e5c-ae90-fec263acdf32"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/125c2d0c-0481-4e5c-ae90-fec263acdf32"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
CVE-2024-1880 (GCVE-0-2024-1880)
Vulnerability from cvelistv5
Published
2024-06-06 18:39
Modified
2024-08-01 18:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Summary
An OS command injection vulnerability exists in the MacOS Text-To-Speech class MacOSTTS of the significant-gravitas/autogpt project, affecting versions up to v0.5.0. The vulnerability arises from the improper neutralization of special elements used in an OS command within the `_speech` method of the MacOSTTS class. Specifically, the use of `os.system` to execute the `say` command with user-supplied text allows for arbitrary code execution if an attacker can inject shell commands. This issue is triggered when the AutoGPT instance is run with the `--speak` option enabled and configured with `TEXT_TO_SPEECH_PROVIDER=macos`, reflecting back a shell injection snippet. The impact of this vulnerability is the potential execution of arbitrary code on the instance running AutoGPT. The issue was addressed in version 5.1.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| significant-gravitas | significant-gravitas/autogpt |
Version: unspecified < 5.1.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:significant-gravitas:autogpt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autogpt",
"vendor": "significant-gravitas",
"versions": [
{
"status": "affected",
"version": "0.5.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1880",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-06T19:45:42.562476Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:48:31.759Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.364Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/4e742624-8771-4f3c-9634-3eaf33d6d58e"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "significant-gravitas/autogpt",
"vendor": "significant-gravitas",
"versions": [
{
"lessThan": "5.1.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An OS command injection vulnerability exists in the MacOS Text-To-Speech class MacOSTTS of the significant-gravitas/autogpt project, affecting versions up to v0.5.0. The vulnerability arises from the improper neutralization of special elements used in an OS command within the `_speech` method of the MacOSTTS class. Specifically, the use of `os.system` to execute the `say` command with user-supplied text allows for arbitrary code execution if an attacker can inject shell commands. This issue is triggered when the AutoGPT instance is run with the `--speak` option enabled and configured with `TEXT_TO_SPEECH_PROVIDER=macos`, reflecting back a shell injection snippet. The impact of this vulnerability is the potential execution of arbitrary code on the instance running AutoGPT. The issue was addressed in version 5.1.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T18:39:43.516Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/4e742624-8771-4f3c-9634-3eaf33d6d58e"
},
{
"url": "https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669"
}
],
"source": {
"advisory": "4e742624-8771-4f3c-9634-3eaf33d6d58e",
"discovery": "EXTERNAL"
},
"title": "OS Command Injection in MacOS Text-To-Speech Class in significant-gravitas/autogpt"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-1880",
"datePublished": "2024-06-06T18:39:43.516Z",
"dateReserved": "2024-02-26T02:50:00.773Z",
"dateUpdated": "2024-08-01T18:56:22.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6091 (GCVE-0-2024-6091)
Vulnerability from cvelistv5
Published
2024-09-11 12:49
Modified
2024-09-11 18:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Summary
A vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings. The issue arises when the denylist is configured to block specific commands, such as 'whoami' and '/bin/whoami'. An attacker can circumvent this restriction by executing commands with a modified path, such as '/bin/./whoami', which is not recognized by the denylist.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| significant-gravitas | significant-gravitas/autogpt |
Version: unspecified < 0.5.1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:significant-gravitas:autogpt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autogpt",
"vendor": "significant-gravitas",
"versions": [
{
"lessThan": "0.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6091",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:22:48.647499Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T18:23:23.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "significant-gravitas/autogpt",
"vendor": "significant-gravitas",
"versions": [
{
"lessThan": "0.5.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings. The issue arises when the denylist is configured to block specific commands, such as \u0027whoami\u0027 and \u0027/bin/whoami\u0027. An attacker can circumvent this restriction by executing commands with a modified path, such as \u0027/bin/./whoami\u0027, which is not recognized by the denylist."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T12:49:07.293Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/8a742c13-bb5e-4bc9-8b86-049d8a386050"
},
{
"url": "https://github.com/significant-gravitas/autogpt/commit/ef691359b774a1f9f80cf4f5ace9821967b718ed"
}
],
"source": {
"advisory": "8a742c13-bb5e-4bc9-8b86-049d8a386050",
"discovery": "EXTERNAL"
},
"title": "Shell Command Denylist Bypass in significant-gravitas/autogpt"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-6091",
"datePublished": "2024-09-11T12:49:07.293Z",
"dateReserved": "2024-06-17T18:16:47.500Z",
"dateUpdated": "2024-09-11T18:23:23.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8156 (GCVE-0-2024-8156)
Vulnerability from cvelistv5
Published
2025-03-20 10:09
Modified
2025-03-20 13:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code
Summary
A command injection vulnerability exists in the workflow-checker.yml workflow of significant-gravitas/autogpt. The untrusted user input `github.head.ref` is used insecurely, allowing an attacker to inject arbitrary commands. This vulnerability affects versions up to and including the latest version. An attacker can exploit this by creating a branch name with a malicious payload and opening a pull request, potentially leading to reverse shell access or theft of sensitive tokens and keys.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| significant-gravitas | significant-gravitas/autogpt |
Version: unspecified < 0.5.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8156",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T13:52:50.036595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T13:54:05.257Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/959efe87-f109-4cef-94d8-90ff2c7aef51"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "significant-gravitas/autogpt",
"vendor": "significant-gravitas",
"versions": [
{
"lessThan": "0.5.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerability exists in the workflow-checker.yml workflow of significant-gravitas/autogpt. The untrusted user input `github.head.ref` is used insecurely, allowing an attacker to inject arbitrary commands. This vulnerability affects versions up to and including the latest version. An attacker can exploit this by creating a branch name with a malicious payload and opening a pull request, potentially leading to reverse shell access or theft of sensitive tokens and keys."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:09:12.930Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/959efe87-f109-4cef-94d8-90ff2c7aef51"
},
{
"url": "https://github.com/significant-gravitas/autogpt/commit/1df7d527dd37dff8363dc162fb58d300f072e302"
}
],
"source": {
"advisory": "959efe87-f109-4cef-94d8-90ff2c7aef51",
"discovery": "EXTERNAL"
},
"title": "Command Injection in significant-gravitas/autogpt"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-8156",
"datePublished": "2025-03-20T10:09:12.930Z",
"dateReserved": "2024-08-25T17:45:18.099Z",
"dateUpdated": "2025-03-20T13:54:05.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1879 (GCVE-0-2024-1879)
Vulnerability from cvelistv5
Published
2024-06-06 17:53
Modified
2024-08-21 14:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
A Cross-Site Request Forgery (CSRF) vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a user running AutoGPT in their local network to a malicious website. This site can then send crafted requests to the AutoGPT server, leading to command execution. The issue is exacerbated by CORS being enabled for arbitrary origins by default, allowing the attacker to read the response of all cross-site queries. This vulnerability was addressed in version 5.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| significant-gravitas | significant-gravitas/autogpt |
Version: unspecified < 5.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.272Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/125c2d0c-0481-4e5c-ae90-fec263acdf32"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:significant-gravitas:autogpt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autogpt",
"vendor": "significant-gravitas",
"versions": [
{
"status": "affected",
"version": "0.5.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1879",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T14:25:04.652037Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T14:26:56.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "significant-gravitas/autogpt",
"vendor": "significant-gravitas",
"versions": [
{
"lessThan": "5.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Request Forgery (CSRF) vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a user running AutoGPT in their local network to a malicious website. This site can then send crafted requests to the AutoGPT server, leading to command execution. The issue is exacerbated by CORS being enabled for arbitrary origins by default, allowing the attacker to read the response of all cross-site queries. This vulnerability was addressed in version 5.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T17:53:21.654Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/125c2d0c-0481-4e5c-ae90-fec263acdf32"
},
{
"url": "https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669"
}
],
"source": {
"advisory": "125c2d0c-0481-4e5c-ae90-fec263acdf32",
"discovery": "EXTERNAL"
},
"title": "CSRF to RCE in significant-gravitas/autogpt"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-1879",
"datePublished": "2024-06-06T17:53:21.654Z",
"dateReserved": "2024-02-26T02:49:34.723Z",
"dateUpdated": "2024-08-21T14:26:56.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1881 (GCVE-0-2024-1881)
Vulnerability from cvelistv5
Published
2024-06-06 18:19
Modified
2024-08-01 18:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Summary
AutoGPT, a component of significant-gravitas/autogpt, is vulnerable to an improper neutralization of special elements used in an OS command ('OS Command Injection') due to a flaw in its shell command validation function. Specifically, the vulnerability exists in versions v0.5.0 up to but not including 5.1.0. The issue arises from the application's method of validating shell commands against an allowlist or denylist, where it only checks the first word of the command. This allows an attacker to bypass the intended restrictions by crafting commands that are executed despite not being on the allowlist or by including malicious commands not present in the denylist. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary shell commands.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| significant-gravitas | significant-gravitas/autogpt |
Version: unspecified < 5.1.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:significant-gravitas:autogpt:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autogpt",
"vendor": "significant-gravitas",
"versions": [
{
"lessThan": "5.1.0",
"status": "affected",
"version": "0.5.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1881",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T13:47:34.891631Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T20:57:23.522Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "significant-gravitas/autogpt",
"vendor": "significant-gravitas",
"versions": [
{
"lessThan": "5.1.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AutoGPT, a component of significant-gravitas/autogpt, is vulnerable to an improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) due to a flaw in its shell command validation function. Specifically, the vulnerability exists in versions v0.5.0 up to but not including 5.1.0. The issue arises from the application\u0027s method of validating shell commands against an allowlist or denylist, where it only checks the first word of the command. This allows an attacker to bypass the intended restrictions by crafting commands that are executed despite not being on the allowlist or by including malicious commands not present in the denylist. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary shell commands."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T18:19:08.151Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/416c4a8b-36ba-4bbc-850a-a2f978b0fac8"
},
{
"url": "https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669"
}
],
"source": {
"advisory": "416c4a8b-36ba-4bbc-850a-a2f978b0fac8",
"discovery": "EXTERNAL"
},
"title": "Improper Neutralization of Special Elements used in an OS Command in significant-gravitas/autogpt"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-1881",
"datePublished": "2024-06-06T18:19:08.151Z",
"dateReserved": "2024-02-26T02:50:23.895Z",
"dateUpdated": "2024-08-01T18:56:22.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}