AWS AgentCore CLI Code Injection Vulnerability in Bedrock Agent Import

A code injection vulnerability has been identified in the AWS AgentCore CLI, specifically in versions 0.4.0 through 0.14.1 and certain preview versions. The issue arises from improper handling of triple-quote characters during Python code generation, which could allow an authenticated user to execute arbitrary code on their local environment or within the AWS AgentCore Runtime. This vulnerability is exploited by crafting a collaborationInstruction value that, when processed by the CLI, injects code into the main.py file of an imported agent. The injected code is executed with the permissions of the agent's IAM role or the developer's local AWS credentials, depending on the context.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in two contexts: on the developer's local machine, using their AWS credentials, and in the AWS AgentCore Runtime environment, under the agent's IAM execution role.

Reproduction

To reproduce this vulnerability, import a Bedrock supervisor agent with multi-agent collaboration enabled using an affected version of the AWS AgentCore CLI. Ensure that the collaborator agent has a crafted collaborationInstruction value containing triple double-quote characters. Once the agent is imported, the injected code will be executed when the agent is deployed or invoked, either locally or in the AWS environment.

Remediation

Upgrade to AWS AgentCore CLI version 0.14.2 or 1.0.0-preview.9. After upgrading, remove the affected agent from your project, re-import it using the patched CLI, and redeploy it to AWS. If an immediate upgrade is not possible, manually inspect the generated main.py file for any collaboratorInstruction values containing triple double-quote sequences and replace them with escaped equivalents before running or deploying the agent.