Assafelovic GPT-Researcher Unauthenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Assafelovic GPT-Researcher versions through 3.4.3. The issue arises in the WebSocket '/ws' endpoint, specifically within the 'extract_command_data' function of 'backend/server/server_utils.py'. This vulnerability allows for code injection by manipulating the 'args' parameter, which is then passed to 'anyio.open_process()' without any validation or sanitization. As a result, an attacker can execute arbitrary commands on the server with the same privileges as the application process.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server. The executed commands run with the application's process privileges, enabling attackers to read and write files, install backdoors, pivot to other systems, and exfiltrate data. Additionally, the vulnerability can be exploited from a malicious web page, taking advantage of Cross-Site WebSocket Hijacking.

Reproduction

To reproduce this vulnerability, send a WebSocket message to the '/ws' endpoint with a 'mcp_configs' parameter that includes a command and arguments of choice. The absence of validation allows the specified command to be executed on the server.

Remediation

It is recommended to allowlist MCP commands, require authentication for the WebSocket endpoint, disable MCP by default, and sandbox MCP processes.