Executive Summary

The vulnerability affects the Programmer component of MetaGPT (version up to 0.8.1), specifically in the file metagpt/ext/aflow/scripts/operator.py. It involves the function code_generate which processes natural language prompts to generate Python code via a large language model (LLM). This generated code is then executed on the host system.

The system attempts to sanitize the generated code by parsing its abstract syntax tree (AST) to filter out unsafe code and disallowed imports such as os, sys, and subprocess. However, these security checks are insufficient and rely on simple string matching, which can be bypassed.

As a result, attackers can craft malicious natural language prompts that cause the LLM to generate and execute arbitrary Python code, including system commands, remotely on the vulnerable host.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows remote code execution (RCE) on any server running the vulnerable MetaGPT version. An attacker can execute arbitrary system commands by submitting specially crafted natural language prompts.

This can lead to unauthorized access, data theft, system compromise, or disruption of services, especially if the Programmer component is exposed to untrusted users through APIs, web forms, or chat interfaces.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for suspicious execution of Python code generated by the MetaGPT Programmer component, especially code that attempts to import restricted modules or execute system commands.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is exploited by sending crafted natural language prompts that cause the LLM to generate and execute malicious Python code, detection can focus on identifying such prompts or the resulting code execution.'}, {'type': 'list_item', 'content': 'Monitor logs or API requests for unusual or suspicious natural language inputs that may attempt to trigger code generation.'}, {'type': 'list_item', 'content': "Check for execution of Python code containing disallowed imports such as 'os', 'sys', 'subprocess', or calls to '__import__' with system commands."}, {'type': 'list_item', 'content': "Use commands like 'ps aux | grep python' to identify running Python processes that may be executing unexpected code."}, {'type': 'list_item', 'content': "Inspect logs for outputs of commands like 'ls /' or other system commands that should not normally be executed."}, {'type': 'paragraph', 'content': 'No specific detection commands or scripts are provided in the available resources.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable MetaGPT Programmer component to trusted users only, as the vulnerability allows remote code execution via crafted natural language prompts.

Since the vulnerability arises from insufficient sanitization and import restrictions in the code generation and execution process, consider the following actions:

• Disable or restrict any public or untrusted access to the MetaGPT Programmer API or interfaces that accept natural language prompts.
• Implement stricter input validation and sanitization beyond the current AST-based filtering to prevent malicious code generation.
• Apply network-level controls such as firewall rules to limit access to the vulnerable service.
• Monitor and audit usage logs for suspicious activity.

No official patch or vendor response is available as the vendor did not respond to the disclosure.

Useful 0 Not Useful 0