inclusionAI AWorld shell_tool.py subprocess.Popen os command injection
Description
A critical OS command injection in AWrold's shell_tool.py uses subprocess.run/Popen with shell=True, allowing remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A critical OS command injection in AWrold's shell_tool.py uses subprocess.run/Popen with shell=True, allowing remote code execution.
Vulnerability
Overview
A critical OS command injection vulnerability (CWE-78) has been discovered in the AWorld project by inclusionAI. The flaw resides in the file /aworld/virtual_environments/terminals/shell_tool.py, where the execute and execute_async methods employ subprocess.run() and subprocess.Popen() with the shell=True parameter. This configuration passes user-supplied input directly to the system shell without proper sanitization, enabling an attacker to inject arbitrary commands. The issue affects all versions up to commit 8c257626e648d98d793dd9a1a950c2af4dd84c4e [1][2][3][4].
Attack
Vector and Exploitation
An attacker can exploit this vulnerability by crafting malicious input strings that include shell metacharacters (e.g., ;, |, &&) appended to legitimate commands. For instance, input such as ; rm -rf / would terminate the original intended command and execute the destructive payload. The attack can be initiated remotely, although the official description rates the complexity as high and exploitation as difficult, likely due to the need for prior access to the command input interface. The exploit has been publicly disclosed, increasing the risk of active use [2][3][4].
Technical
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands with the privileges of the AWorld process. This can lead to complete system compromise, including data exfiltration, file deletion, installation of malware, or lateral movement within the network. Because the product does not use versioning, determining the exact scope of affected deployments is challenging, but any instance using the vulnerable code is at risk [1][2].
Mitigation
Status
No official patch or version release has been provided by the vendor, as the product does not follow a versioned release model. Users should immediately review the code in shell_tool.py and either remove the shell=True parameter or replace the subprocess calls with safer alternatives (e.g., using shlex.quote() on input or switching to shell=False with a list of arguments). Until a fix is applied, access to the command input functionality should be restricted to trusted users only [2][3][4].
- GitHub - inclusionAI/AWorld: Search, understand, reproduce, and improve an idea with ease
- NVD - CVE-2025-4032
- Vulnerability Report: OS Command Injection in shell_tool.py due to subprocess.run() and subprocess.Popen() with shell=True
- Vulnerability Report: OS Command Injection in shell_tool.py due to subprocess.run() and subprocess.Popen() with shell=True
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aworldPyPI | <= 0.2.1 | — |
Affected products
2- Range: 8c257626e648d98d793dd9a1a950c2af4dd84c4e
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/inclusionAI/AWorld/issues/38ghsaexploitissue-trackingWEB
- github.com/advisories/GHSA-jmjf-mfhm-j3gfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-4032ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- github.com/inclusionAI/AWorld/issues/38ghsaissue-trackingWEB
- github.com/inclusionAI/AWorld/issues/38ghsaissue-trackingWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.