Significant Gravitas AutoGPT Command Injection Vulnerability in Workflow Checker

Vulnerability

A command injection vulnerability has been identified in the workflow-checker.yml file of Significant Gravitas AutoGPT, affecting all versions up to the latest release. The vulnerability arises from the insecure handling of untrusted user input, specifically the 'github.head.ref' variable, which can be exploited by injecting arbitrary commands. An attacker could create a branch name containing a malicious payload and submit a pull request, potentially gaining reverse shell access or stealing sensitive tokens and keys.

Impact

Exploitation of this vulnerability could lead to command injection, allowing an attacker to execute arbitrary commands on the server. This could result in reverse shell access or the theft of sensitive tokens and keys.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Significant Gravitas AutoGPT Command Injection Vulnerability in Workflow Checker

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating