Command Injection Affecting agentc package, versions [,0.2.5a4)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-AGENTC-14172805
- published4 Dec 2025
- disclosed2 Dec 2025
- creditUnknown
Introduced: 2 Dec 2025
New CVE NOT AVAILABLE CWE-78 (opens in a new tab)How to fix?
Upgrade agentc to version 0.2.5a4 or higher.
Overview
agentc is a The front-facing package for the Couchbase Agent Catalog project.
Affected versions of this package are vulnerable to Command Injection due to unsafe use of subprocess.run when invoking the default system editor during the agentc add operation. The application directly executes a user-defined or environment-controlled editor path as a shell command without validation or sanitization. An attacker can exploit this by supplying a malicious editor path or manipulating environment variables to hijack the editor invocation, resulting in arbitrary code execution under the application's privileges.