CVE-2024-1880

Name of the Vulnerable Software and Affected Versions autogpt versions up to v0.5.0

Description An OS command injection issue exists due to the improper neutralization of special elements used in an OS command. This allows for arbitrary code execution if an attacker can inject shell commands, specifically when using os.system to execute the say command with user-supplied text. The issue is triggered when the AutoGPT instance is run with the --speak option enabled and configured with TEXT TO SPEECH PROVIDER=macos. The impact of this issue is the potential execution of arbitrary code on the instance running AutoGPT.

Recommendations For versions up to v0.5.0, update to version 5.1.0 to resolve the issue. As a temporary workaround, consider disabling the --speak option until a patch is available. Restrict access to the MacOSTTS class to minimize the risk of exploitation. Avoid using the TEXT TO SPEECH PROVIDER=macos configuration until the issue is resolved.