CVE-2024-8156 – This CVE-2024-8156 is a critical command inject... (How to Fix)

📋 TL;DR

This CVE-2024-8156 is a critical command injection vulnerability in AutoGPT's GitHub Actions workflow. Attackers can inject arbitrary commands by creating malicious branch names and opening pull requests, potentially gaining remote code execution. All AutoGPT users with vulnerable GitHub Actions workflows are affected.

💻 Affected Systems

Products:

significant-gravitas/autogpt

Versions: All versions up to and including the latest version before fix

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the workflow-checker.yml GitHub Actions workflow file

📦 What is this software?

Autogpt Classic by Agpt

View all CVEs affecting Autogpt Classic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the GitHub Actions runner environment leading to reverse shell access, theft of sensitive tokens/secrets, and lateral movement within the CI/CD pipeline.

🟠

Likely Case

Unauthorized command execution in the GitHub Actions runner, potentially exposing repository secrets, API keys, and sensitive environment variables.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only affecting the specific workflow execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to create branches and open pull requests in the repository

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 1df7d527dd37dff8363dc162fb58d300f072e302

Vendor Advisory: https://github.com/significant-gravitas/autogpt/commit/1df7d527dd37dff8363dc162fb58d300f072e302

Restart Required: No

Instructions:

1. Update to the latest AutoGPT version
2. Ensure workflow-checker.yml contains the patched version
3. Review and update any custom workflows using similar patterns

🔧 Temporary Workarounds

Disable vulnerable workflow

all

Temporarily disable the workflow-checker.yml GitHub Actions workflow

Navigate to repository Settings > Actions > Workflow permissions > Disable workflow-checker.yml

Restrict branch creation

all

Limit who can create branches and open pull requests

Navigate to repository Settings > Branches > Add branch protection rules

🧯 If You Can't Patch

Implement strict branch naming policies to prevent malicious payloads
Review and restrict GitHub Actions permissions to minimum required scope

🔍 How to Verify

Check if Vulnerable:

Check if workflow-checker.yml contains insecure usage of github.head.ref without proper sanitization

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify workflow-checker.yml uses proper input validation/sanitization for github.head.ref

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in GitHub Actions logs
Suspicious branch names containing shell metacharacters

Network Indicators:

Unexpected outbound connections from GitHub Actions runners

SIEM Query:

source="github-actions" AND (command_injection OR suspicious_execution)

📊 Metadata

CVE ID: CVE-2024-8156

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 2.33% exploit probability (84.5th percentile)

Published: March 20, 2025

Last Updated: October 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8156, you might also want to check these: