Headline
CVE-2023-37273: Docker escape when running from docker-compose.yml included in git repo
Auto-GPT is an experimental open-source application showcasing the capabilities of the GPT-4 language model. Running Auto-GPT version prior to 0.4.3 by cloning the git repo and executing docker compose run auto-gpt in the repo root uses a different docker-compose.yml file from the one suggested in the official docker set up instructions. The docker-compose.yml file located in the repo root mounts itself into the docker container without write protection. This means that if malicious custom python code is executed via the execute_python_file and execute_python_code commands, it can overwrite the docker-compose.yml file and abuse it to gain control of the host system the next time Auto-GPT is started. The issue has been patched in version 0.4.3.
Impact
Running Auto-GPT < v0.4.3 by cloning the git repo and executing docker compose run auto-gpt in the repo root uses a different docker-compose.yml file from the one suggested in the official docker set up instructions. The docker-compose.yml file located in the repo root mounts itself into the docker container without write protection.
This means that if malicious custom python code is executed via the execute_python_file and execute_python_code commands, it can overwrite the docker-compose.yml file and abuse it to gain control of the host system the next time Auto-GPT is started.
Patches
The issue has been patched in PR #4761, and the patch is included in release v0.4.3.
Workarounds
If you are unable or not willing to upgrade to the newest version of Auto-GPT, the patch can be applied manually in docker-compose.yml as follows:
volumes:
- ./:/app
# add the following two lines:
- ./docker-compose.yml:/app/docker-compose.yml:ro
- ./Dockerfile:/app/Dockerfile:ro
References
- https://github.com/Significant-Gravitas/Auto-GPT/blob/v0.4.2/docs/setup.md#set-up-with-docker
- #4761
- https://positive.security/blog/auto-gpt-rce#escaping-to-the-host-system