Defog-AI Introspect Remote Code Execution Vulnerability in Test Endpoint

A critical remote code execution vulnerability exists in Defog-AI Introspect versions up to 0.1.4. The issue arises in the Test Endpoint's 'input_model' parameter, where improper handling allows for arbitrary code injection. Although the endpoint attempts to limit execution through a controlled namespace, attackers can exploit this by injecting malicious Python code that bypasses these restrictions. The injected code can import unauthorized modules, access dangerous built-in functions, and execute system commands, thereby gaining full control over the server environment. This vulnerability requires local exploitation.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed commands running under the server's privileges.

Reproduction

To reproduce this vulnerability, send a request to the '/custom_tools/test' endpoint with an 'input_model' payload that includes both a valid Pydantic model definition and injected malicious code. The injected code can exploit the 'exec()' function's execution context to import restricted modules or execute system commands.

Remediation

Users can update to Defog-AI Introspect version 0.1.5 or later, where this vulnerability has been fixed.