CVE-2024-8156
Published: 20 March 2025
Summary
CVE-2024-8156 is a critical-severity Command Injection (CWE-77) vulnerability in Agpt Autogpt Classic. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates command injection by requiring validation and sanitization of untrusted inputs like github.head.ref before use in workflow commands.
Ensures timely remediation of known flaws such as CVE-2024-8156 through patching the vulnerable workflow-checker.yml as provided in the referenced commit.
Enforces secure configuration settings for GitHub Actions workflows to safely handle untrusted PR branch names and prevent insecure command execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated command injection in a public GitHub Actions workflow triggered by PRs, directly enabling exploitation of public-facing applications (T1190) and arbitrary command execution on Unix-based runners (T1059.004).
NVD Description
A command injection vulnerability exists in the workflow-checker.yml workflow of significant-gravitas/autogpt. The untrusted user input `github.head.ref` is used insecurely, allowing an attacker to inject arbitrary commands. This vulnerability affects versions up to and including the latest version. An attacker can…
more
exploit this by creating a branch name with a malicious payload and opening a pull request, potentially leading to reverse shell access or theft of sensitive tokens and keys.
Deeper analysisAI
CVE-2024-8156 is a command injection vulnerability (CWE-77) in the workflow-checker.yml workflow of the significant-gravitas/autogpt GitHub repository. The issue arises from the insecure use of untrusted user input from `github.head.ref`, which allows arbitrary command injection. This affects versions up to and including the latest version, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated remote attacker can exploit the vulnerability by creating a GitHub branch name containing a malicious payload and opening a pull request to the repository. Successful exploitation enables arbitrary command execution, potentially leading to reverse shell access or theft of sensitive tokens and keys.
A patch addressing the vulnerability is available in commit 1df7d527dd37dff8363dc162fb58d300f072e302 at https://github.com/significant-gravitas/autogpt/commit/1df7d527dd37dff8363dc162fb58d300f072e302. Further details are provided on the Huntr bounty page at https://huntr.com/bounties/959efe87-f109-4cef-94d8-90ff2c7aef51.
AutoGPT is an AI agent framework, highlighting the vulnerability's relevance to AI/ML repositories relying on GitHub Actions workflows.
Details
- CWE(s)