CVE-2024-23750

Vulnerability

Overview

MetaGPT versions through 0.6.4 contain a critical flaw in the QaEngineer role. The RunCode.run_script() method internally uses subprocess.Popen to execute code generated during testing, but it passes shell metacharacters without any sanitization. This allows an attacker who can influence the prompts seen by the Engineer role to inject arbitrary shell commands into the execution flow [1][2][3][4].

Exploitation

Vector

The attack surface is the multi-agent pipeline: a malicious user provides a crafted requirement (e.g., asking to write and test code that executes a shell command). The Engineer role generates code containing dangerous shell metacharacters, and the QaEngineer naively runs that code via RunCode. No authentication beyond API‑key access is needed; the vulnerability is exercised during normal project execution. A proof of concept demonstrates that a benign command like ls -l is successfully executed, confirming the lack of input validation [3][4].

Impact

An attacker who can submit a project requirement can achieve arbitrary code execution on the host running MetaGPT. This ability extends to file deletion, lateral movement, installing backdoors, or any other action permitted by the process owner. Because MetaGPT is often deployed in development or CI environments, the blast radius can include source code, credentials, and connected cloud resources [2][3][4].

Mitigation

Status

As of the publication date (2024-01-22), MetaGPT 0.6.4 is the latest affected version. No official patch had been released; the project maintainers were advised to containerize code execution (e.g., with Docker) or apply a whitelist/blacklist to shell commands. Users are urged to restrict network access to the MetaGPT instance and treat all generated code as untrusted until a fix is deployed [1][4].