diff --git a/rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml b/rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml new file mode 100644 index 0000000..7df8419 --- /dev/null +++ b/rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml @@ -0,0 +1,122 @@ +rules: + - metadata: + kind: prequel + id: 5K8mNpQr8vTzHJsEXwGcM + version: "1.0.0" + cre: + id: CRE-2025-0100 + severity: 0 + title: "AutoGPT Prompt Injection + Memory Exhaustion Cascade" + category: "prompt-injection-memory-exhaustion" + author: "Security Researcher" + description: | + AutoGPT is vulnerable to a sophisticated prompt injection attack that triggers a memory exhaustion cascade, + leading to complete system failure. This vulnerability exploits the interaction between prompt compression logic, + LLM retry mechanisms, and task execution loops. + + The vulnerability stems from three interconnected failure modes: + 1. Prompt Compression Infinite Loop: The compress_prompt function can enter an infinite loop during middle-out deletion + 2. LLM Retry Memory Accumulation: Retry mechanisms accumulate memory during failed API calls without proper cleanup + 3. Task Execution Loop Exploitation: Main execution loop can be exploited to create recursive task generation + + A malicious user can craft a prompt that triggers the prompt compression algorithm to enter an infinite loop, + causes LLM API failures that accumulate memory during retries, and exploits the task execution loop to generate + recursive tasks, resulting in memory exhaustion and system crash (SIGKILL). + cause: | + ROOT CAUSES: + - Prompt compression algorithm in backend/util/prompt.py lacks proper loop detection and timeout mechanisms + - LLM retry mechanism in backend/blocks/llm.py accumulates memory during failed API calls without cleanup + - Task execution loop in backend/executor/manager.py can be exploited for recursive task generation + - Insufficient input validation for prompt size and structure + - Missing circuit breakers for resource exhaustion scenarios + impact: | + BUSINESS IMPACT: + - CRITICAL: Complete system failure with AutoGPT process crash (exit code 137) + - Memory exhaustion causing OOM killer termination + - Service outage affecting all running agents and tasks + - Data loss of in-progress tasks and agent states + - Resource exhaustion consuming CPU and memory until system failure + - Potential cascading failures across integrated systems + impactScore: 10 + mitigation: | + IMMEDIATE ACTIONS: + - Set strict memory limits on AutoGPT containers (max 2GB per container) + - Implement input validation for prompt size and structure + - Reduce LLM retry attempts and implement exponential backoff + - Deploy real-time resource monitoring and alerting + + RECOVERY ACTIONS (15-60 minutes): + - Restart AutoGPT services with memory limits + - Implement prompt compression timeout mechanisms + - Add proper memory cleanup in retry mechanisms + - Deploy circuit breakers for resource exhaustion scenarios + + PREVENTION STRATEGIES: + - Implement loop detection and timeout mechanisms in prompt compression + - Add task structure validation to prevent recursive loops + - Deploy comprehensive monitoring for memory usage patterns + - Implement rate limiting and request size validation + mitigationScore: 7 + references: + - "https://github.com/Significant-Gravitas/AutoGPT/blob/main/autogpt_platform/backend/backend/util/prompt.py" + - "https://github.com/Significant-Gravitas/AutoGPT/blob/main/autogpt_platform/backend/backend/blocks/llm.py" + - "https://github.com/Significant-Gravitas/AutoGPT/blob/main/autogpt_platform/backend/backend/executor/manager.py" + applications: + - name: "AutoGPT" + version: ">=0.4.0" + containerName: "autogpt-backend" + tags: + - autogpt + - prompt-injection + - memory-exhaustion + - crash + - sigkill + - oom-killer + - recursive-tasks + - prompt-compression + - llm-retry + - critical-failure + reports: 1 + rule: + sequence: + window: "300s" + event: + source: application-logs + origin: true + order: + - prompt_compression_errors + - memory_pressure_indicators + - llm_retry_failures + - system_crash + negate: + - normal_operation + - graceful_shutdown + +terms: + prompt_compression_errors: + field: message + regex: "(?i)(compress_prompt.*exceeds budget|prompt.*compression.*triggered|token.*count.*exceeded)" + count: 2 + + memory_pressure_indicators: + field: message + regex: "(?i)(memory.*usage.*exceeded|memory.*accumulation.*retry|memory.*exhaustion)" + count: 3 + + llm_retry_failures: + field: message + regex: "(?i)(LLM.*API.*call.*failed.*retrying|maximum.*retry.*attempts.*exceeded)" + count: 2 + + system_crash: + field: message + regex: "(?i)(process.*killed.*signal.*9|SIGKILL|OOM.*killer.*activated|container.*crashed)" + count: 1 + + normal_operation: + field: message + regex: "(?i)(started.*successfully|ready.*accept.*connections|health.*check.*passed)" + + graceful_shutdown: + field: message + regex: "(?i)(graceful.*shutdown|shutting.*down.*normally|clean.*exit)" diff --git a/rules/cre-2025-0150/test.log b/rules/cre-2025-0150/test.log new file mode 100644 index 0000000..a38c5c9 --- /dev/null +++ b/rules/cre-2025-0150/test.log @@ -0,0 +1,100 @@ +2025-08-31T10:17:12Z [INFO] * Serving Flask app 'vulnerable_server' +2025-08-31T10:17:12Z [INFO] * Debug mode: on +2025-08-31T10:17:12Z [INFO] * Tip: There are .env files present. Install python-dotenv to use them. +2025-08-31T10:17:12Z [WARNING] INFO:werkzeug:WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. +2025-08-31T10:17:12Z [INFO] * Running on all addresses (0.0.0.0) +2025-08-31T10:17:12Z [INFO] * Running on http://127.0.0.1:8000 +2025-08-31T10:17:12Z [INFO] * Running on http://172.18.0.7:8000 +2025-08-31T10:17:12Z [INFO] INFO:werkzeug:Press CTRL+C to quit +2025-08-31T10:17:12Z [INFO] INFO:werkzeug: * Restarting with stat +2025-08-31T10:17:12Z [INFO] * Tip: There are .env files present. Install python-dotenv to use them. +2025-08-31T10:17:12Z [WARNING] WARNING:werkzeug: * Debugger is active! +2025-08-31T10:17:12Z [INFO] INFO:werkzeug: * Debugger PIN: 312-761-273 +2025-08-31T10:17:12Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:12] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:17Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:17] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:22Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:22] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:27Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:27] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:32Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:32] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:37Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:37] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:42Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:42] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:47Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:47] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:52Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:52] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:57Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:57] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:02Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:02] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:07Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:07] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:08Z [INFO] INFO:werkzeug:172.18.0.1 - - [31/Aug/2025 10:18:08] "GET /health HTTP/1.1" 200 - +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Recursive content detected - vulnerability trigger 1 +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Memory exhaustion keywords detected - vulnerability trigger 3 +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Prompt compression triggered - attempting to compress tokens +2025-08-31T10:18:08Z [ERROR] ERROR:vulnerable_server:compress_prompt: prompt still exceeds budget (120,000 > 100,000) +2025-08-31T10:18:08Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 1/5) +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 200MB +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 1 +2025-08-31T10:18:08Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 2/5) +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 400MB +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 2 +2025-08-31T10:18:08Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 3/5) +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 600MB +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 3 +2025-08-31T10:18:08Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 4/5) +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 800MB +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 4 +2025-08-31T10:18:12Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:12] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:12Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 5/5) +2025-08-31T10:18:12Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 1000MB +2025-08-31T10:18:12Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 5 +2025-08-31T10:18:12Z [CRITICAL] CRITICAL:vulnerable_server:Memory usage exceeded threshold: 95% +2025-08-31T10:18:12Z [CRITICAL] CRITICAL:vulnerable_server:OOM killer activated - terminating AutoGPT process +2025-08-31T10:18:12Z [ERROR] ERROR:vulnerable_server:Process killed by signal 9 (SIGKILL) +2025-08-31T10:18:12Z [INFO] * Tip: There are .env files present. Install python-dotenv to use them. +2025-08-31T10:18:12Z [INFO] * Serving Flask app 'vulnerable_server' +2025-08-31T10:18:12Z [INFO] * Debug mode: on +2025-08-31T10:18:12Z [WARNING] INFO:werkzeug:WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. +2025-08-31T10:18:12Z [INFO] * Running on all addresses (0.0.0.0) +2025-08-31T10:18:12Z [INFO] * Running on http://127.0.0.1:8000 +2025-08-31T10:18:12Z [INFO] * Running on http://172.18.0.7:8000 +2025-08-31T10:18:12Z [INFO] INFO:werkzeug:Press CTRL+C to quit +2025-08-31T10:18:12Z [INFO] INFO:werkzeug: * Restarting with stat +2025-08-31T10:18:12Z [INFO] * Tip: There are .env files present. Install python-dotenv to use them. +2025-08-31T10:18:12Z [WARNING] WARNING:werkzeug: * Debugger is active! +2025-08-31T10:18:12Z [INFO] INFO:werkzeug: * Debugger PIN: 803-379-536 +2025-08-31T10:18:17Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:17] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:17Z [WARNING] WARNING:vulnerable_server:Recursive content detected - vulnerability trigger 1 +2025-08-31T10:18:17Z [WARNING] WARNING:vulnerable_server:Memory exhaustion keywords detected - vulnerability trigger 3 +2025-08-31T10:18:17Z [WARNING] WARNING:vulnerable_server:Prompt compression triggered - attempting to compress tokens +2025-08-31T10:18:17Z [ERROR] ERROR:vulnerable_server:compress_prompt: prompt still exceeds budget (120,000 > 100,000) +2025-08-31T10:18:17Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 1/5) +2025-08-31T10:18:17Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 200MB +2025-08-31T10:18:17Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 1 +2025-08-31T10:18:17Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 2/5) +2025-08-31T10:18:17Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 400MB +2025-08-31T10:18:17Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 2 +2025-08-31T10:18:22Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:22] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:22Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 3/5) +2025-08-31T10:18:22Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 600MB +2025-08-31T10:18:22Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 3 +2025-08-31T10:18:22Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 4/5) +2025-08-31T10:18:22Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 800MB +2025-08-31T10:18:22Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 4 +2025-08-31T10:18:25Z [INFO] INFO:werkzeug:172.18.0.1 - - [31/Aug/2025 10:18:25] "GET /health HTTP/1.1" 200 - +2025-08-31T10:18:25Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 5/5) +2025-08-31T10:18:25Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 1000MB +2025-08-31T10:18:25Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 5 +2025-08-31T10:18:25Z [CRITICAL] CRITICAL:vulnerable_server:Memory usage exceeded threshold: 95% +2025-08-31T10:18:25Z [CRITICAL] CRITICAL:vulnerable_server:OOM killer activated - terminating AutoGPT process +2025-08-31T10:18:25Z [ERROR] ERROR:vulnerable_server:Process killed by signal 9 (SIGKILL) +2025-08-31T10:18:25Z [INFO] * Tip: There are .env files present. Install python-dotenv to use them. +2025-08-31T10:18:25Z [INFO] * Serving Flask app 'vulnerable_server' +2025-08-31T10:18:25Z [INFO] * Debug mode: on +2025-08-31T10:18:25Z [WARNING] INFO:werkzeug:WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. +2025-08-31T10:18:25Z [INFO] * Running on all addresses (0.0.0.0) +2025-08-31T10:18:25Z [INFO] * Running on http://127.0.0.1:8000 +2025-08-31T10:18:25Z [INFO] * Running on http://172.18.0.7:8000 +2025-08-31T10:18:25Z [INFO] INFO:werkzeug:Press CTRL+C to quit +2025-08-31T10:18:25Z [INFO] INFO:werkzeug: * Restarting with stat +2025-08-31T10:18:25Z [INFO] * Tip: There are .env files present. Install python-dotenv to use them. +2025-08-31T10:18:25Z [WARNING] WARNING:werkzeug: * Debugger is active! +2025-08-31T10:18:25Z [INFO] INFO:werkzeug: * Debugger PIN: 142-012-072 +2025-08-31T10:18:32Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:32] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:37Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:37] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:42Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:42] "GET /metrics HTTP/1.1" 404 - diff --git a/rules/tags/categories.yaml b/rules/tags/categories.yaml index e61a0cb..42e441b 100644 --- a/rules/tags/categories.yaml +++ b/rules/tags/categories.yaml @@ -99,6 +99,9 @@ categories: - name: configuration-problem displayName: Configuration Problem description: Problems related to system or application configurations + - name: prompt-injection-memory-exhaustion + displayName: Prompt Injection Memory Exhaustion + description: Security vulnerabilities related to prompt injection attacks causing memory exhaustion and system failures - name: monitoring-problem displayName: Monitoring Problem description: Problems related to system or application monitoring diff --git a/rules/tags/tags.yaml b/rules/tags/tags.yaml index 1acb1dc..3b4701a 100644 --- a/rules/tags/tags.yaml +++ b/rules/tags/tags.yaml @@ -98,7 +98,34 @@ tags: description: Failures involving the OVSDB (Open vSwitch Database) protocol or schema. - name: panic displayName: Panic - description: Crashes due to unrecoverable errors, especially in Go or Rust applications. + description: Application panics and unrecoverable runtime errors + - name: autogpt + displayName: AutoGPT + description: Problems with AutoGPT autonomous agent framework + - name: prompt-injection + displayName: Prompt Injection + description: Security vulnerabilities related to prompt injection attacks + - name: memory-exhaustion + displayName: Memory Exhaustion + description: Problems with memory exhaustion and resource depletion + - name: sigkill + displayName: SIGKILL + description: Process termination by SIGKILL signal + - name: oom-killer + displayName: OOM Killer + description: Out of Memory killer termination + - name: recursive-tasks + displayName: Recursive Tasks + description: Problems with recursive task generation + - name: prompt-compression + displayName: Prompt Compression + description: Issues with prompt compression algorithms + - name: llm-retry + displayName: LLM Retry + description: Problems with LLM retry mechanisms + - name: critical-failure + displayName: Critical Failure + description: Critical system failures requiring immediate attention, including crashes due to unrecoverable errors - name: password displayName: Password description: Problems with password policies, validation, or storage. @@ -666,9 +693,6 @@ tags: - name: container-crash displayName: Container Crash description: Failures causing container crashes or unexpected terminations. - - name: memory-exhaustion - displayName: Memory Exhaustion - description: Failures due to running out of memory or excessive memory consumption. - name: configuration-failure displayName: Configuration Failure description: Problems caused by incorrect or invalid configuration settings. @@ -681,9 +705,7 @@ tags: - name: permission-denied displayName: Permission Denied description: Failures caused by insufficient access rights or permission errors. - - name: sigkill - displayName: SIGKILL - description: Failures caused by processes being terminated with a SIGKILL signal. + - name: jetstream displayName: JetStream description: NATS JetStream persistence & streaming subsystem issues. @@ -827,9 +849,7 @@ tags: - name: cache-eviction displayName: Cache Eviction description: Problems related to cache eviction policies and performance - - name: critical-failure - displayName: Critical Failure - description: Failures that cause immediate service termination or data loss + - name: ssl-certificate displayName: SSL Certificate description: Problems related to SSL/TLS certificate validation, expiration, trust chain issues, or handshake failures