Impact

When Auto-GPT is executed directly on the host system via the provided run.sh or run.bat files, custom Python code execution is sandboxed using a temporary dedicated docker container which should not have access to any files outside of the Auto-GPT workspace directory.
Before v0.4.3 the execute_python_code command (introduced in v0.4.1) does not sanitize the basename arg before writing LLM-supplied code to a file with an LLM-supplied name. This allows for a path traversal attack that can overwrite any .py file outside the workspace directory by specifying a basename such as ../../../main.py.
This can further be abused to achieve arbitrary code execution on the host running Auto-GPT by e.g. overwriting autogpt/main.py which will be executed outside of the docker environment meant to sandbox custom python code execution the next time Auto-GPT is started.

Patches

The issue has been patched through PR #4756, and the patch was included in release v0.4.3.

Workarounds

The risk introduced by this vulnerability can be remediated by running Auto-GPT in a virtual machine, or another environment in which damage to files or corruption of the program is not a critical problem.

References

• #4756
• https://positive.security/blog/auto-gpt-rce#non-docker-version