Impact
Running Auto-GPT < v0.4.3 by cloning the git repo and executing docker compose run auto-gpt in the repo root uses a different docker-compose.yml file from the one suggested in the official docker set up instructions. The docker-compose.yml file located in the repo root mounts itself into the docker container without write protection.
This means that if malicious custom python code is executed via the execute_python_file and execute_python_code commands, it can overwrite the docker-compose.yml file and abuse it to gain control of the host system the next time Auto-GPT is started.
Patches
The issue has been patched in PR #4761, and the patch is included in release v0.4.3.
Workarounds
If you are unable or not willing to upgrade to the newest version of Auto-GPT, the patch can be applied manually in docker-compose.yml as follows:
volumes:
- ./:/app
# add the following two lines:
- ./docker-compose.yml:/app/docker-compose.yml:ro
- ./Dockerfile:/app/Dockerfile:roReferences
Impact
Running Auto-GPT < v0.4.3 by cloning the git repo and executing
docker compose run auto-gptin the repo root uses a different docker-compose.yml file from the one suggested in the official docker set up instructions. The docker-compose.yml file located in the repo root mounts itself into the docker container without write protection.This means that if malicious custom python code is executed via the
execute_python_fileandexecute_python_codecommands, it can overwrite the docker-compose.yml file and abuse it to gain control of the host system the next time Auto-GPT is started.Patches
The issue has been patched in PR #4761, and the patch is included in release v0.4.3.
Workarounds
If you are unable or not willing to upgrade to the newest version of Auto-GPT, the patch can be applied manually in docker-compose.yml as follows:
References