mirror of
https://github.com/vxcontrol/pentagi.git
synced 2026-07-19 12:11:02 -04:00
[GH-ISSUE #337] [Bug]: PentAGI Container Escape via Prompt Injection #109
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @ez-lbz on GitHub (Jun 5, 2026).
Original GitHub issue: https://github.com/vxcontrol/pentagi/issues/337
Originally assigned to: @asdek on GitHub.
Affected Component
AI Agents (Researcher/Developer/...)
Describe the bug
PentAGI Container Escape via Prompt Injection
Summary
PentAGI mounts the host Docker socket (
/var/run/docker.sock) into agent sandbox containers when deployed via Docker Compose, allowing a prompt-injected AI agent to escape its sandbox and execute arbitrary commands on the host through the Docker API.Root Cause
In
backend/pkg/docker/client.go:282-284, whenDOCKER_INSIDEis true, every per-flow sandbox container is created with the host Docker socket bind-mounted:dc.insideis controlled by theDOCKER_INSIDEenvironment variable, which defaults totruein the shippeddocker-compose.yml. ThedefaultDockerSocketPathis/var/run/docker.sock.Impact
With host Docker socket access, an attacker can:
docker run --privileged -v /:/host ...mounts the host root filesystem into a new container, providing full read/write access to the host.Steps to Reproduce
none
System Configuration
none
Logs and Artifacts
No response
Screenshots or Recordings
No response
Verification
@ez-lbz commented on GitHub (Jun 5, 2026):
Sandbox Container: pentagi-terminal-3
│
├─ /var/run/docker.sock (Successfully mounted, srw-rw----)
│
├─ POST /containers/create → Privileged Container with Volume Mount (-v /:/host)
│ └─ 201 Created
├─ POST /containers/{id}/start → 204 No Content
├─ POST /containers/{id}/wait → StatusCode=0
├─ GET /containers/{id}/logs → Host filesystem data exfiltration (Leakage)
└─ DELETE /containers/{id} → Footprint cleanup / Clearing tracks