Summary
If the victim has "Execute" auto-approved for a specific command like ls, an attacker with access to craft a prompt could inject arbitrary commands to be sent alongside the original auto-executed command because process substitution and the single ampersand were not handled correctly in the command parsing logic.
Impact
This vulnerability is high complexity since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack) and for the user to have enabled auto-approved command execution (off by default), but also of high severity since it would give the attacker the ability to execute arbitrary code.
Remediation
We fixed the command parsing to correctly handle process substitution.
MaccariTA Reporter
Summary
If the victim has "Execute" auto-approved for a specific command like
ls, an attacker with access to craft a prompt could inject arbitrary commands to be sent alongside the original auto-executed command because process substitution and the single ampersand were not handled correctly in the command parsing logic.Impact
This vulnerability is high complexity since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack) and for the user to have enabled auto-approved command execution (off by default), but also of high severity since it would give the attacker the ability to execute arbitrary code.
Remediation
We fixed the command parsing to correctly handle process substitution.