Hugging Face Smolagents Local Python Sandbox Escape Vulnerability

A vulnerability in Hugging Face Smolagents' Local Python execution environment allows for sandbox escape via dunder attributes. This issue arises from incomplete validation of these attributes, enabling an attacker to perform a Prompt Injection that tricks the agent into executing malicious code. The vulnerability is present in Smolagents versions prior to 1.21.0.

Impact

Exploitation of this vulnerability allows for unauthorized execution of code outside the intended sandboxed environment, potentially leading to execution of harmful commands or access to restricted resources.

Reproduction

To reproduce this vulnerability, create a 'LocalPythonExecutor' instance and send a Prompt Injection that includes dunder method calls. The injected prompt can access dunder methods like '__getattribute__' and '__subclasses__', allowing traversal of the class hierarchy to locate and execute subprocess commands, such as 'curl' requests.

Remediation

When using Smolagents, avoid the Local Python execution environment. Instead, use the WebAssembly executor, which does not have this vulnerability. For example, create a 'CodeAgent' with 'executor_type' set to 'wasm'.