DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-5WP8-Q9MX-8JX8: GHSA-5WP8-Q9MX-8JX8: Critical Shell Security Bypass in Zeptoclaw AI Runtime

#security #cve #cybersecurity #ghsa

GHSA-5WP8-Q9MX-8JX8: Critical Shell Security Bypass in Zeptoclaw AI Runtime

Vulnerability ID: GHSA-5WP8-Q9MX-8JX8
CVSS Score: 9.8
Published: 2026-03-05

A critical vulnerability in the zeptoclaw AI agent runtime allows attackers to bypass shell security controls, including allowlists and blocklists, to execute arbitrary commands. The flaw stems from insufficient input validation in src/security/shell.rs, specifically regarding shell metacharacters, globbing patterns, and argument permutation. By manipulating command strings, an attacker can escape the intended sandbox and execute code on the host system, even when 'Strict' security modes are enabled.

TL;DR

Zeptoclaw fails to properly sanitize shell commands, allowing attackers to bypass security allowlists using metacharacters (e.g., ;, |), globbing (e.g., pass[w]d), and flag permutations. This results in Critical Remote Code Execution (RCE).

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-78 (OS Command Injection)
  • Attack Vector: Remote (via Prompt/API)
  • CVSS Score: 9.8 (Critical)
  • Impact: Arbitrary Code Execution
  • Exploit Status: PoC Available
  • Fix Commit: 68916c3e

Affected Systems

  • zeptoclaw AI Runtime
  • Systems running zeptoclaw agents with shell tool access
  • zeptoclaw: <= 0.6.2 (Fixed in: Commit 68916c3e)

Code Analysis

Commit: 68916c3

Fix GHSA-5WP8-Q9MX-8JX8: hardening shell security against metacharacters and globs

Exploit Details

  • GitHub Advisory: The patch contains unit tests demonstrating all bypass vectors (PoC).

Mitigation Strategies

  • Input Sanitization
  • Sandbox Reinforcement
  • Privilege Reduction

Remediation Steps:

  1. Update zeptoclaw immediately to the version containing commit 68916c3e4f3af107f11940b27854fc7ef517058b (or version 0.6.3+).
  2. If immediate update is not possible, disable the device_shell tool in the agent configuration.
  3. Review logs for historical instances of command chaining characters (;, |, &) in agent command history.
  4. Run the agent runtime in an ephemeral container (Docker/Podman) with no volume mounts to sensitive host directories.

References

Read the full report for GHSA-5WP8-Q9MX-8JX8 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)