CVE-2025-4032

Name of the Vulnerable Software and Affected Versions inclusionAI AWorld up to 8c257626e648d98d793dd9a1a950c2af4dd84c4e

Description A critical issue affects the subprocess.run/subprocess.Popen function of the file AWorld/aworld/virtual environments/terminals/shell tool.py, leading to os command injection. The attack may be initiated remotely and has a rather high complexity, making exploitation difficult. The exploit has been disclosed to the public and may be used.

Recommendations As a temporary workaround, consider disabling the subprocess.run and subprocess.Popen functions in the shell tool.py file until a fix is available. Restrict access to the shell tool.py module to minimize the risk of exploitation. Avoid using the subprocess module in the affected file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.