[Security-news] AI (Artificial Intelligence) - Critical - Remote Code Execution - SA-CONTRIB-2025-021
security-news at drupal.org
security-news at drupal.org
Wed Mar 5 18:17:04 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-021
Project: AI (Artificial Intelligence) [1]
Date: 2025-March-05
Security risk: *Critical* 15 ∕ 25
AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Remote Code Execution
Affected versions: <1.0.5
Description:
The AI Automators module (a submodule of AI) enables you to create different
automated tasks that fills out field data using LLM outputs.
The module doesn't sufficiently sanitize input before passing it to the
underlying shell as part of a command for execution, allowing an attacker to
run arbitrary commands.
The vulnerability exists in optional Automator Types which are part of the
optional AI Automators (sub)module.
The AI module is included in Drupal CMS.
Solution:
Install the latest version:
* If you use the AI module for Drupal, upgrade to AI 1.0.5 [3]
Reported By:
* Drew Webber (mcdruid) [4] of the Drupal Security Team
Fixed By:
* Marcus Johansson (marcus_johansson) [5]
* Drew Webber (mcdruid) [6] of the Drupal Security Team
* Michal Gow (seogow) [7]
Coordinated By:
* Drew Webber (mcdruid) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/ai
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ai/releases/1.0.5
[4] https://www.drupal.org/u/mcdruid
[5] https://www.drupal.org/u/marcus_johansson
[6] https://www.drupal.org/u/mcdruid
[7] https://www.drupal.org/u/seogow
[8] https://www.drupal.org/u/mcdruid
More information about the Security-news
mailing list