Leonvanzyl Autocoder Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the Leonvanzyl Autocoder project, specifically in commit 79d02a. The issue arises in the '/devserver/start' endpoint, where attackers can execute arbitrary code by sending a crafted command parameter. This vulnerability is part of the Autocoder application, which is designed to automate coding tasks using an AI agent.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Autocoder is running.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/projects/{project}/devserver/start' endpoint with a crafted command parameter. This can be done using a tool like curl or Postman, or through a script that sends HTTP requests. The command parameter should be designed to execute arbitrary code on the server.