Salesforce Agentforce Vibes Extension Code Injection Vulnerability
Vulnerability
A code injection vulnerability has been identified in the Salesforce Agentforce Vibes Extension, affecting versions prior to 3.2.0. This vulnerability arises from improper neutralization of input used for large language model (LLM) prompting, which could allow arbitrary command execution. When combined with prompt injection, it could lead to remote code execution, potentially granting full access to the victim's Salesforce organization.
Impact
Exploitation of this vulnerability could allow arbitrary command execution, and when combined with prompt injection, it could result in remote code execution, potentially granting full access to the victim's Salesforce organization.
Remediation
Users of the Agentforce Vibes extension should update to version 3.2.0 or later. Those who have disabled automatic updates must manually check for and install the latest version. Instructions for manually updating extensions are available in the Salesforce Knowledge Article Number 005228032.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.