AutoGPT Workflow Automation Platform Unsafe Redis Cache Deserialization Vulnerability Allowing Backend Remote Code Execution

A vulnerability exists in the AutoGPT workflow automation platform, specifically in the backend component, versions 0.6.34 prior to 0.6.51. The issue arises from the backend's deserialization of Redis cache bytes using pickle.loads, without proper integrity or authenticity checks. This flaw allows an attacker to poison a shared-cache key in Redis, potentially leading to arbitrary command execution within the backend container context. The vulnerability impacts the application's confidentiality, integrity, and availability.

Impact

Exploitation of this vulnerability allows for arbitrary command execution in the backend container context, with a high severity rating.

Reproduction

To reproduce this vulnerability, first upload a malicious payload by serializing an object that executes a command (such as writing to a file) using pickle.dumps and storing it in a Redis shared-cache key. Then, invoke a cached function that reads from the same Redis key. The malicious payload will be deserialized and executed, demonstrating the vulnerability.

Remediation

Users are advised to update to AutoGPT version 0.6.52, where this vulnerability has been fixed. Additionally, replace pickle serialization in shared cache with safer formats like JSON or MsgPack, and implement strict schema validation. If binary serialization is necessary, verify cryptographic signatures using HMAC before decoding. It is also recommended to harden the Redis deployment by enforcing authentication and TLS, restricting exposure, and isolating cache network access.