CVE-2024-6091

Name of the Vulnerable Software and Affected Versions significant-gravitas/autogpt version 0.5.1

Description A vulnerability in significant-gravitas/autogpt allows an attacker to bypass the shell commands denylist settings. The issue arises when the denylist is configured to block specific commands, such as whoami and /bin/whoami. An attacker can circumvent this restriction by executing commands with a modified path, such as /bin/./whoami, which is not recognized by the denylist. Over 166,000 projects are at risk due to this vulnerability.

Recommendations As a temporary workaround, consider disabling the execution of shell commands until a patch is available. Restrict access to the denylist settings to minimize the risk of exploitation. Avoid using the denylist to block specific commands, as an attacker can modify the command path to bypass the restriction. Update to a newer version that contains a fix for this vulnerability, if available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.