CVE-2024-23750: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

January 22, 2024

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell metacharacters to subprocess.Popen.

References

github.com/advisories/GHSA-g7ph-8423-pf4j
github.com/geekan/MetaGPT/issues/731
github.com/pypa/advisory-database/tree/main/vulns/metagpt/PYSEC-2024-9.yaml
nvd.nist.gov/vuln/detail/CVE-2024-23750

Code Behaviors & Features

Detect and mitigate CVE-2024-23750 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →