CVE-2024-8156 HIGH

CVE-2024-8156: Command Injection in significant-gravitas/autogpt

Vendor Significant-Gravitas
Product significant-gravitas/autogpt
Weakness CWE-77
Published March 20, 2025
Last update October 15, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A command injection vulnerability exists in the workflow-checker.yml workflow of significant-gravitas/autogpt. The untrusted user input `github.head.ref` is used insecurely, allowing an attacker to inject arbitrary commands. This vulnerability affects versions up to and including the latest version. An attacker can exploit this by creating a branch name with a malicious payload and opening a pull request, potentially leading to reverse shell access or theft of sensitive tokens and keys.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
October 15, 2025 Record updated