Summary

1. Memory State Leakage via Agent ID Collision: The MultiAgentLedger uses a dictionary to store ledgers by agent ID without enforcing uniqueness. This allows agents with the same ID to share ledger instances, leading to potential leakage of sensitive context data.
2. Path Traversal in MultiAgentMonitor: The MultiAgentMonitor constructs file paths by concatenating the base path and agent ID without sanitization. This allows an attacker to escape the intended directory using path traversal sequences (e.g., ../), potentially leading to arbitrary file read/write.

Details

Vulnerability 1: Memory State Leakage

• File: examples/context/12 multi agent context.py:68
• Description: The MultiAgentLedger class uses a dictionary (self.ledgers) to store ledger instances keyed by agent ID. The get agent ledger method creates a new ledger only if the agent ID is not present. If two agents are registered with the same ID, they will share the same ledger instance. This violates the isolation policy and can lead to leakage of sensitive context data (system prompts, conversation history) between agents.
• Exploitability: An attacker can register an agent with the same ID as a victim agent to gain access to their ledger. This is particularly dangerous in multi-tenant systems where agents may handle sensitive user data.

Vulnerability 2: Path Traversal

• File: examples/context/12 multi agent context.py:106
• Description: The MultiAgentMonitor class constructs file paths for agent monitors by directly concatenating the base path and agent ID. Since the agent ID is not sanitized, an attacker can provide an ID containing path traversal sequences (e.g., ../../malicious). This can result in files being created or read outside the intended directory (base path).
• Exploitability: An attacker can create an agent with a malicious ID (e.g., ../../etc/passwd) to write or read arbitrary files on the system, potentially leading to information disclosure or file corruption.

PoC

Memory State Leakage

multi ledger = MultiAgentLedger()

# Victim agent (user1) registers and tracks sensitive data
victim ledger = multi ledger.get agent ledger('user1 agent')
victim ledger.track system prompt("Sensitive system prompt")
victim ledger.track history([{"role": "user", "content": "Secret data"}])

# Attacker registers with the same ID
attacker ledger = multi ledger.get agent ledger('user1 agent')

# Attacker now has access to victim's ledger
print(attacker ledger.get ledger().system prompt) # Outputs: "Sensitive system prompt"
print(attacker ledger.get ledger().history)    # Outputs: [{'role': 'user', 'content': 'Secret data'}]

Path Traversal

with tempfile.TemporaryDirectory() as tmpdir:
  multi monitor = MultiAgentMonitor(base path=tmpdir)
  
  # Create agent with malicious ID
  malicious id = '../../malicious'
  monitor = multi monitor.get agent monitor(malicious id)
  
  # The monitor file is created outside the intended base path
  # Example: if tmpdir is '/tmp/safe dir', the actual path might be '/tmp/malicious'
  print(monitor.path) # Outputs: '/tmp/malicious' (or equivalent)

Impact

• Memory State Leakage: This vulnerability can lead to unauthorized access to sensitive agent context, including system prompts and conversation history. In a multi-tenant system, this could result in cross-user data leakage.
• Path Traversal: An attacker can read or write arbitrary files on the system, potentially leading to information disclosure, denial of service (by overwriting critical files), or remote code execution (if executable files are overwritten).

Recommended Fix

For Memory State Leakage

• Enforce unique agent IDs at the application level. If the application expects unique IDs, add a check during agent registration to prevent duplicates.
• Alternatively, modify the MultiAgentLedger to throw an exception if an existing agent ID is reused (unless explicitly allowed).

For Path Traversal

• Sanitize agent IDs before using them in file paths. Replace any non-alphanumeric characters (except safe ones like underscores) or remove path traversal sequences.
• Use os.path.join and os.path.realpath to resolve paths, then check that the resolved path starts with the intended base directory.

import os

def get agent monitor(self, agent id: str):
  # Sanitize agent id to remove path traversal
  safe id = os.path.basename(agent id.replace('../', '').replace('..', ''))
  # Alternatively, use a strict allow-list of characters
  
  # Construct path and ensure it's within base path
  agent path = os.path.join(self.base path, safe id)
  real path = os.path.realpath(agent path)
  real base = os.path.realpath(self.base path)
  
  if not real path.startswith(real base):
    raise ValueError(f"Invalid agent ID: {agent id}")
  
  ...