Asuka39

**Name of the Vulnerable Software and Affected Versions** FoundationAgents MetaGPT versions prior to 0.8.3 **Description** Command injection is possible via the `mermaid.path` argument in the `check cmd exists()` function located in the `metagpt/utils/common.py` file. This issue allows a remote attacker to execute arbitrary commands, although the attack requires a high degree of complexity and is considered difficult to exploit. **Recommendations** Update to a version later than 0.8.2. As a temporary workaround, restrict or avoid the use of the `mermaid.path` argument within the `check cmd exists()` function.

**Name of the Vulnerable Software and Affected Versions** FoundationAgents MetaGPT versions prior to 0.8.3 **Description** A weakness exists in the `Message.check instruct content()` function within the `metagpt/schema.py` file. Manipulation of the `mapping` argument can lead to deserialization, which is the process of converting a data stream back into an object. This issue is restricted to local execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.