Agenta API: Unauthorized Code Execution on Server

Summary

A security flaw in the Agenta API (prior to version 0.48.1) allowed authenticated users to run unauthorized code on the server. This could happen if a user submitted malicious code in the Agenta platform. To fix this, update the Agenta API to version 0.48.1 or later.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
agentatech	agenta	<= 0.48.1	–

Original title

Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a s...

Original description

Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python's introspection utilities — including `sys.modules` — thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.

nvd CVSS3.1 9.9

Vulnerability type

CWE-94 Code Injection

https://github.com/Agenta-AI/agenta/security/advisories/GHSA-pmgp-2m3v-34mq Exploit Vendor Advisory