CRITICAL: Arbitrary Code Execution via FunctionTool Config

F001_FunctionTool_RCE.md

Finding F001: Arbitrary Code Execution via FunctionTool Config Deserialization

Severity: CRITICAL

Location

python/packages/autogen-core/src/autogen_core/tools/_function_tool.py

Description

The FunctionTool._from_config() method executes arbitrary Python code via exec() when loading a configuration from an untrusted source. While there is a security warning, the design fundamentally allows code execution.

# Line 159-171 in _function_tool.py
exec(import_code, exec_globals)  # Executes arbitrary import statements
exec(config.source_code, exec_globals)  # Executes arbitrary function code

Attack Scenario

1. Attacker creates a malicious FunctionToolConfig with source_code containing arbitrary Python
2. Config is loaded via ComponentLoader.load_component() or FunctionTool._from_config()
3. Arbitrary code executes in the process context

Risk Assessment

• Severity: CRITICAL
• Impact: Complete system compromise, data exfiltration, lateral movement
• Likelihood: MEDIUM (requires loading config from untrusted source)

Existing Mitigations

1. Security warning in documentation
2. Trusted namespace validation in ComponentLoader.load_component()
3. No default mechanism to load untrusted configs

Recommendations

1. Add runtime validation that source_code doesn't contain dangerous patterns
2. Consider sandboxed execution (e.g., RestrictedPython) for untrusted configs
3. Require explicit opt-in flag for loading FunctionTools from external configs
4. Add audit logging for FunctionTool config loading