Arbitrary Code Execution Vulnerability in MetaGPT (Versions up to 0.6.4)

Arbitrary Code Execution Vulnerability in MetaGPT (Versions up to 0.6.4)

CVE-2024-23750 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell metacharacters to subprocess.Popen.

Learn more about our Web Application Penetration Testing UK.