CVE-2023-37274

Name of the Vulnerable Software and Affected Versions Auto-GPT versions prior to 0.4.3

Description The issue allows for a path traversal attack, enabling the overwrite of any .py file outside the workspace directory by specifying a malicious basename argument, such as ../../../main.py. This can be further exploited to achieve arbitrary code execution on the host running Auto-GPT. For example, overwriting autogpt/main.py can lead to code execution outside the intended docker sandbox environment when Auto-GPT is restarted.

Recommendations For versions prior to 0.4.3, update to version 0.4.3 to resolve the issue. As a temporary workaround, consider running Auto-GPT in a virtual machine or an environment where file damage or program corruption is not critical.