[IT-SecNots] [Security-news] AI (Artificial Intelligence) - Critical - Remote Code Execution - SA-CONTRIB-2025-021

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-021

Project: AI (Artificial Intelligence) [1]
Date: 2025-March-05
Security risk: *Critical* 15 ∕ 25
AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Remote Code Execution

Affected versions: <1.0.5
Description: 
The AI Automators module (a submodule of AI) enables you to create different
automated tasks that fills out field data using LLM outputs.

The module doesn't sufficiently sanitize input before passing it to the
underlying shell as part of a command for execution, allowing an attacker to
run arbitrary commands.

The vulnerability exists in optional Automator Types which are part of the
optional AI Automators (sub)module.

The AI module is included in Drupal CMS.

Solution: 
Install the latest version:

 * If you use the AI module for Drupal, upgrade to AI 1.0.5 [3]

Reported By: 
 * Drew Webber (mcdruid) [4] of the Drupal Security Team

Fixed By: 
 * Marcus Johansson (marcus_johansson) [5]
 * Drew Webber (mcdruid) [6] of the Drupal Security Team
 * Michal Gow (seogow) [7]

Coordinated By: 
 * Drew Webber (mcdruid) [8] of the Drupal Security Team


[1] https://www.drupal.org/project/ai
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ai/releases/1.0.5
[4] https://www.drupal.org/u/mcdruid
[5] https://www.drupal.org/u/marcus_johansson
[6] https://www.drupal.org/u/mcdruid
[7] https://www.drupal.org/u/seogow
[8] https://www.drupal.org/u/mcdruid

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news