Snyk Security Database

automagik-genie is a Self-evolving AI agent orchestration framework with Model Context Protocol support

Affected versions of this package are vulnerable to Command Injection via the readTranscriptFromCommit() function. An attacker can execute arbitrary system commands by supplying crafted input to the view_task parameter when reading from an external FORGE_BASE_URL.

Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value through the ReceivePackHandler via add_thin_pack/apply_delta flows when handling crafted thin packs with attacker-controlled delta headers. An attacker can cause excessive memory allocation by pushing a specially crafted thin pack that declares a large destination size, leading to resource exhaustion and potential denial of service. This is only exploitable if the server exposes git-receive-pack functionality and accepts pushes from untrusted or authenticated clients.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the HTML index page when an authenticated user with upload permissions stores crafted content. An attacker can execute arbitrary JavaScript in the browser of users who browse the affected repository directory, potentially performing actions in the context of the victim's session.