AutoGPT Remote Code Execution Vulnerability via Disabled Block Bypass

A remote code execution vulnerability has been identified in AutoGPT versions prior to 0.6.48. This issue allows authenticated users to execute arbitrary code on the backend server by embedding a disabled development block, known as BlockInstallationBlock, into a graph. The vulnerability arises because the graph validation process did not properly enforce the disabled flag, allowing the block to be executed indirectly through the graph.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the backend server, with full access to environment secrets such as database credentials and service keys. It also enables direct database access with read/write capabilities, lateral movement to internal services, and persistence through unauthorized disk access within the container.

Remediation

Users running a self-hosted instance of AutoGPT Platform should update to version 0.6.48 immediately. After updating, check for any signs of exploitation by querying the database for graphs that reference the vulnerable BlockInstallationBlock, and look for unauthorized files written to disk that are not part of the repository. If evidence of exploitation is found, treat the instance as compromised and rotate all secrets in the backend environment.