# SuperAGI — RCE via `eval()` on Redis-stored completed task data
STATUS: ALMOST_REPORT (needs investigation; do not submit)
readiness: NEEDS_INVESTIGATION
program: SuperAGI | platform: huntr | repo: TransformerOptimus/SuperAGI | commit: 2026-02-13-scan

````
Repository URL: https://github.com/TransformerOptimus/SuperAGI
Package Manager: pip
Version Affected: latest (observed in 2026-02-13 scan)
Vulnerability Type: Code Injection
CVSS:
  Attack Vector: Network
  Attack Complexity: High
  Privileges Required: Low
  User Interaction: None
  Scope: Changed
  Confidentiality: High
  Integrity: High
  Availability: High
Title: eval() on Redis task strings can execute attacker-influenced payloads
Impact: Successful exploitation yields remote code execution as the SuperAGI application user. This can lead to host compromise, secret theft, and lateral movement.
Description:

# Description

`TaskQueue` deserializes completed-task records from Redis using Python `eval()` in two read paths:

```python
def get_completed_tasks(self):
    tasks = self.db.lrange(self.completed_tasks, 0, -1)
    return [eval(task) for task in tasks]

def get_last_task_details(self):
    response = self.db.lindex(self.completed_tasks, 0)
    return eval(response)
```

If attacker-controlled content can be made to persist into the Redis completed-task list in an executable Python expression shape, retrieving task history triggers code execution in the server process.

The scan context notes this is a medium-confidence path because storage format is typically `str(dict)`, so exploitability depends on injection shape/control of serialized content.

# Proof of Concept

1. Configure an agent that ingests attacker-controlled content (e.g., web page/tool output).
2. Craft prompt-injection content intended to force model/task output into Python expression payload style.
3. Trigger task completion so data is stored in Redis completed-tasks list.
4. Invoke functionality that reads task history (`get_completed_tasks`/`get_last_task_details`).
5. Observe payload execution (e.g., delayed response, outbound callback, command side effect).

Example payload concept (representation-dependent):

```python
__import__('os').system('id')
```

Expected vulnerable behavior: retrieval path executes `eval()` on Redis string instead of safe parser (`ast.literal_eval`/JSON).

### Impact

Successful exploitation yields remote code execution as the SuperAGI application user. This can lead to host compromise, secret theft, and lateral movement.

### Occurrences

```
Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/main/superagi/agent/task_queue.py#L33-L34
Description: get_completed_tasks evaluates each Redis item with eval()

Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/main/superagi/agent/task_queue.py#L42-L43
Description: get_last_task_details evaluates latest Redis item with eval()
```

### References

```
URL: https://cwe.mitre.org/data/definitions/95.html
Name: CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code

URL: https://docs.python.org/3/library/ast.html#ast.literal_eval
Name: Python ast.literal_eval documentation

URL: https://owasp.org/www-community/attacks/Code_Injection
Name: OWASP Code Injection
```

Occurrences:
  Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/main/superagi/agent/task_queue.py#L33-L34
  Description: get_completed_tasks evaluates each Redis item with eval()
  Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/main/superagi/agent/task_queue.py#L42-L43
  Description: get_last_task_details evaluates latest Redis item with eval()
References:
  URL: https://cwe.mitre.org/data/definitions/95.html
  Name: CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
  URL: https://docs.python.org/3/library/ast.html#ast.literal_eval
  Name: Python ast.literal_eval documentation
  URL: https://owasp.org/www-community/attacks/Code_Injection
  Name: OWASP Code Injection
````