"The tool does implement a check function to filter dangerous commands, but it uses a regex-based blacklist for that, which is a known unsafe pattern. The shortcomings lead the Shell tool to interpret an attacker's entire command string as executable logic, thereby bypassing safety checks."
"Despite the implementation of six validation layers before command execution, the function allows attackers to execute arbitrary code via trusted interpreters, exfiltrate data via allowed network utilities, and bypass tokenization via shell parsing semantics."
"An attacker can exploit this flaw by injecting crafted content into data sources consumed by the agent, such as prompts, documents, logs, or research inputs, without requiring direct shell access or explicit operator misuse."
"As a result, arbitrary commands can be executed with the privileges of the MS-Agent process on the host system as part of the agent's normal execution flow, potentially leading to full host compromise."
ModelScope MS-Agent is an open-source framework for creating AI agents that generate code, analyze data, and interact with tools via MCP protocol. A critical vulnerability (CVE-2026-2256) exists in the Shell tool, which executes OS commands on the host system. The tool implements a regex-based blacklist to filter dangerous commands, but this approach is fundamentally unsafe. Despite six validation layers, attackers can bypass security checks through shell parsing semantics and trusted interpreters. Attackers inject crafted content into data sources like prompts or documents to manipulate agents into executing malicious shell commands. The resulting arbitrary code execution occurs with MS-Agent process privileges, potentially compromising the entire host system.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]