We use cookies to improve your experience on our site.
AVID-2026-R1636
Description
Remote Code Execution in transformeroptimus/superagi (CVE-2024-9439)
Details
SuperAGI is vulnerable to remote code execution in the latest version. The agent template update API allows attackers to control certain parameters, which are then fed to the eval function without any sanitization or checks in place. This vulnerability can lead to full system compromise.
Reason for inclusion in AVID: CVE-2024-9439 describes a remote code execution vulnerability in the AI framework/agent platform (transformeroptimus/superagi). The attack leverages an API (agent template update) to feed unsanitized input into an eval, enabling full system compromise. This directly concerns AI software stacks and their deployment/runtime components, i.e., GPAI-related supply chain elements (AI frameworks/tools and their dependencies). The report provides explicit vulnerability behavior (RCE), affected artifact, and CVE details, satisfying sufficient evidence for AVID curation.
References
Affected or Relevant Artifacts
- Developer: transformeroptimus
- Deployer: transformeroptimus
- Artifact Details:
| Type | Name |
|---|---|
| System | transformeroptimus/superagi |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Base Score | 8.8 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-94 | CWE-94 Improper Control of Generation of Code |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.3
- AVID Entry