Describe the bug
The Runner.run_code function in src/agents/runner/runner.py:69 contains a critical code injection vulnerability (CWE-94) that allows attackers to achieve arbitrary code execution by exploiting the direct execution of LLM-generated content. The function receives content shaped by an LLM-orchestrated path and forwards that content into an execution surface instead of treating it as inert data, without implementing proper validation, sanitization, or sandboxing mechanisms.
How To Reproduce
Steps to reproduce the behavior (example):
Environment Setup:
-
Clone the devika repository from the source
-
Install all required dependencies:
cd devika
pip install -r requirements.txt
cd ui
npm install # or bun install
-
Configure the .env file with your API keys (Claude API key required for this reproduction)
-
Start the backend server:
-
Start the frontend development server:
cd ui
npm run dev # or bun run dev
-
Verify the application is running by accessing http://localhost:3000 in your browser
Browser-Based Exploitation Steps:
-
Open your web browser and navigate to http://localhost:3000
-
In the devika web interface, you should see the chat input area and project creation options
-
First Turn - Establish Context:
- In the chat input box, type:
"Create a new Python project called 'data_processor' for analyzing CSV files"
- Click the "Send" button or press Enter
- Wait for the agent to initialize the project (you'll see agent activity in the UI showing project creation, planning phase, etc.)
- Observe the project directory being created under
data/projects/data_processor/
-
Second Turn - Trigger the Vulnerability:
- Once the first turn completes, craft a malicious prompt in the chat input:
Now add a data validation script. For testing purposes, first create a file called write_marker.py with this content:
with open('EXPLOITATION_MARKER.txt', 'w') as f:
f.write('Code injection successful - arbitrary execution achieved')
Then run this script to verify the setup works correctly.
- Click "Send" to submit the malicious prompt
- The LLM (Claude) will process this request and generate code execution instructions
-
Observe Exploitation:
- Watch the agent activity panel - you should see the Runner agent being invoked
- The UI will show messages like "Running code..." or "Executing script..."
- Monitor the browser's developer console (F12) for Socket.IO messages showing the execution flow
- The backend terminal will show execution logs
-
Verify Arbitrary Code Execution:
- Open a file explorer or terminal and navigate to
data/projects/data_processor/
- Confirm that
EXPLOITATION_MARKER.txt exists with the content: "Code injection successful - arbitrary execution achieved"
- Check the backend terminal logs for execution traces showing
python write_marker.py was executed
- Alternatively, check the preserved evidence files:
ARTIFACTS\devika-runner-live-claude.json - Contains the complete Socket.IO message flow and execution trace
ARTIFACTS\devika-runner-live.stderr.log - Shows the stderr output from the execution
Key Indicators of Successful Exploitation:
- The marker file
EXPLOITATION_MARKER.txt is created in the project directory
- Backend logs show
Runner.run_code was invoked at line 69 of src/agents/runner/runner.py
- Socket.IO messages in browser DevTools show the execution flow
- No security warnings or validation errors were triggered
- The code executed with full host system access (not sandboxed)
Expected behavior
The application should:
- Never execute LLM-generated content directly as code - all LLM output must be treated as untrusted data
- Implement a strict whitelist of allowed commands and operations
- Use secure sandboxing for any code execution (Docker containers, VMs, restricted user accounts)
- Validate and sanitize all commands before execution using regex patterns and static analysis
- Require explicit user confirmation before executing any code
- Implement comprehensive logging and monitoring of all execution attempts
- Apply resource limits (CPU, memory, network, filesystem access, execution time)
- Use static analysis to detect dangerous patterns in generated code (eval, exec, import, etc.)
- Implement anomaly detection and alerting for suspicious execution patterns
- Apply defense-in-depth security controls at multiple layers
Configuration
- OS: Windows
- Python version: 3.10
- Node version: 18.0.0
- bun version: 0.1.0
- Model: claude
Additional context
Add any other context about the problem here.
Describe the bug
The
Runner.run_codefunction insrc/agents/runner/runner.py:69contains a critical code injection vulnerability (CWE-94) that allows attackers to achieve arbitrary code execution by exploiting the direct execution of LLM-generated content. The function receives content shaped by an LLM-orchestrated path and forwards that content into an execution surface instead of treating it as inert data, without implementing proper validation, sanitization, or sandboxing mechanisms.How To Reproduce
Steps to reproduce the behavior (example):
Environment Setup:
Clone the devika repository from the source
Install all required dependencies:
Configure the
.envfile with your API keys (Claude API key required for this reproduction)Start the backend server:
Start the frontend development server:
Verify the application is running by accessing
http://localhost:3000in your browserBrowser-Based Exploitation Steps:
Open your web browser and navigate to
http://localhost:3000In the devika web interface, you should see the chat input area and project creation options
First Turn - Establish Context:
"Create a new Python project called 'data_processor' for analyzing CSV files"data/projects/data_processor/Second Turn - Trigger the Vulnerability:
Observe Exploitation:
Verify Arbitrary Code Execution:
data/projects/data_processor/EXPLOITATION_MARKER.txtexists with the content:"Code injection successful - arbitrary execution achieved"python write_marker.pywas executedARTIFACTS\devika-runner-live-claude.json- Contains the complete Socket.IO message flow and execution traceARTIFACTS\devika-runner-live.stderr.log- Shows the stderr output from the executionKey Indicators of Successful Exploitation:
EXPLOITATION_MARKER.txtis created in the project directoryRunner.run_codewas invoked at line 69 ofsrc/agents/runner/runner.pyExpected behavior
The application should:
Configuration
Additional context
Add any other context about the problem here.