[New Advisory Request] Command Injection in DaytonaTools via Unquoted Path Variables (agno/phidata) #6975
Description
Summary
Command Injection in DaytonaTools via Unquoted Path Variables
CVE Details
- Affected product: phidatahq/phidata (now called agno-agi/agno)
- Ecosystem: pip
- Package name: agno
- Affected versions: < latest
- Patched versions: (unknown)
- Severity: High (CVSS ~7.8)
Description
Multiple command injection vulnerabilities exist in libs/agno/agno/tools/daytona.py due to unquoted path variables being interpolated directly into shell commands.
Vulnerable Code
Line 302:
test_result = current_sandbox.process.exec(
f"test -d {new_path_str} && echo 'exists' || echo 'not found'", cwd="/"
)Line 342:
result = current_sandbox.process.exec(f"mkdir -p {parent_dir}")The new_path_str and parent_dir variables can contain shell metacharacters that enable command injection.
Proof of Concept
An attacker can craft malicious path names to inject commands:
# Using DaytonaTools.run_shell_command with:
command = "cd foo; touch /tmp/pwned; #"
# This becomes:
# test -d foo; touch /tmp/pwned; # && echo 'exists' || echo 'not found'
# The injected command executes before the && is evaluatedSimilarly, create_file with a malicious file_path containing shell metacharacters would exploit line 342.
Impact
- Arbitrary command execution within the Daytona sandbox
- Potential sandbox escape depending on Daytona configuration
- Data exfiltration, privilege escalation within sandbox
Recommendation
Quote path variables properly:
# Replace:
f"test -d {new_path_str} && ..."
# With:
f"test -d '{new_path_str}' && ..."
# And similarly for mkdir:
f"mkdir -p '{parent_dir}'"Or use subprocess with list arguments to avoid shell interpretation entirely.
Weakness
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
References
- Repository: https://github.com/agno-agi/agno (formerly phidatahq/phidata)
- Vulnerable file:
libs/agno/agno/tools/daytona.py