CVE-2024-8156

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-8156
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-8156.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-8156
Published
2025-03-20T10:15:41.247Z
Modified
2026-03-13T07:58:11.591729Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A command injection vulnerability exists in the workflow-checker.yml workflow of significant-gravitas/autogpt. The untrusted user input github.head.ref is used insecurely, allowing an attacker to inject arbitrary commands. This vulnerability affects versions up to and including the latest version. An attacker can exploit this by creating a branch name with a malicious payload and opening a pull request, potentially leading to reverse shell access or theft of sensitive tokens and keys.

References

Affected packages

Git / github.com/significant-gravitas/autogpt

Affected ranges

Type
GIT
Repo
https://github.com/significant-gravitas/autogpt
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
26324f29849967fa72c207da929af612f1740669
Fixed
1df7d527dd37dff8363dc162fb58d300f072e302
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.5.1"
        }
    ]
}

Affected versions

agbenchmark-v0.*
agbenchmark-v0.0.10
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.2.0
v0.2.1
v0.2.2
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.3-alpha
v0.4.4
v0.4.5

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-8156.json"