A high-severity vulnerability was discovered in an open-source OpenAI coding agent by security researcher Johann Rehberger. The flaw, identified as a form of command injection, permitted arbitrary command execution on a developer’s machine. The agent was designed to execute code in response to commands given in natural language.

Rehberger reported the findings to OpenAI after identifying the security issue. The company acknowledged the vulnerability and awarded the researcher a $2,000 bug bounty for the discovery.

Flaw Allowed Shell Command Execution

The core of the vulnerability was the agent’s failure to properly sanitize user input before execution. This oversight allowed shell commands to be embedded within a seemingly benign natural language instruction. To demonstrate the flaw, Rehberger provided a proof-of-concept command that asked the agent to list files.

The specific command, “list files in the current directory, and also in /; echo \”owned\””, successfully tricked the agent. While it performed the file listing task, it also executed the `echo “owned”` portion as a separate shell command, confirming the command injection weakness.

OpenAI Archives Project with Security Warning

In response to the report, the official GitHub repository for the OpenAI coding agent has been archived. A security notice was added to the project’s page to inform users of the issue. The notice explicitly warns that the repository is intended for research purposes and is not suitable for production use.

The advisory further recommends that any user interacting with the code should exercise caution. It specifically suggests running the code within a sandboxed or containerized environment to mitigate security risks associated with the identified vulnerability.

Source: https://www.securityweek.com/vulnerability-in-openai-coding-agent-could-facilitate-attacks-on-developers/