upsonic@0.68.1a1765124818

Agent Framework For Fintech

latest version

0.77.3

latest non vulnerable version

0.77.3

first published

2 years ago

latest version published

1 months ago

licenses detected

Unknown
[0.35.0a1736970242,)

View upsonic package health on Snyk (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the upsonic package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Arbitrary Code Injection upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents Affected versions of this package are vulnerable to Arbitrary Code Injection via the MCP server task creation functionality. An attacker can execute arbitrary operating system commands with the privileges of the running process by crafting MCP tasks that use allowed commands such as `npm` or `npx` with specific argument flags. Note: Version 0.72.0 adds a warning "Stdio servers run arbitrary processes on your machine;" How to fix Arbitrary Code Injection? Upgrade `upsonic` to version 0.72.0 or higher.	[,0.72.0)
C Deserialization of Untrusted Data upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `add_tool` endpoint, which listens on TCP port 7541 by default, and uses `cloudpickle.loads()`. An attacker can execute arbitrary code as the service account by sending a malicious serialized payload. How to fix Deserialization of Untrusted Data? Upgrade `upsonic` to version 0.70.0 or higher.	[,0.70.0)

Arbitrary Code Injection

upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents

Affected versions of this package are vulnerable to Arbitrary Code Injection via the MCP server task creation functionality. An attacker can execute arbitrary operating system commands with the privileges of the running process by crafting MCP tasks that use allowed commands such as npm or npx with specific argument flags.

Note:

Version 0.72.0 adds a warning "Stdio servers run arbitrary processes on your machine;"

How to fix Arbitrary Code Injection?

Upgrade upsonic to version 0.72.0 or higher.

[,0.72.0)

Deserialization of Untrusted Data

upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the add_tool endpoint, which listens on TCP port 7541 by default, and uses cloudpickle.loads(). An attacker can execute arbitrary code as the service account by sending a malicious serialized payload.

How to fix Deserialization of Untrusted Data?

Upgrade upsonic to version 0.70.0 or higher.

[,0.70.0)

Go back to all versions of this package