AutoGPT Server-Side Template Injection Vulnerability Leading to Remote Code Execution

A Server-Side Template Injection (SSTI) vulnerability has been identified in AutoGPT versions 0.3.4 and earlier. This vulnerability could lead to Remote Code Execution (RCE) due to improper handling of user-supplied format strings in the 'AgentOutputBlock' implementation. Malicious input is passed to the Jinja2 templating engine without sufficient security measures, allowing attackers to execute arbitrary commands on the host system. The vulnerability has been fixed in version 0.4.0.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the host system where AutoGPT is running.

Reproduction

To reproduce this vulnerability, create an agent that includes a block capable of processing format strings. Import an agent that executes such a block and upload it to the marketplace. Once the agent is imported from the marketplace, it can be executed, triggering the vulnerability. The 'TextFormatter' utility class, introduced in version 0.4.0, can be used to demonstrate the vulnerability by formatting strings in a way that exploits the SSTI flaw.

Remediation

Users can upgrade to AutoGPT version 0.4.0 or later, where this vulnerability has been fixed.