Description
The Docker code executor at autogen_ext/code_executors/docker/_docker_code_executor.py mounts host filesystem directories into sandboxed containers without explicit trust boundary validation. This allows an agent with code execution capability to escape its container sandbox and access the host filesystem.
Location
python/packages/autogen-ext/src/autogen_ext/code_executors/docker/_docker_code_executor.py
Impact
An agent utilizing this code executor can read, write, or delete files on the host system through mounted volumes, bypassing the intended sandbox isolation. This is a trust boundary violation (OWASP ASI10) where the agent's code execution scope extends beyond its designated sandbox.
Severity
CRITICAL — container escape through filesystem trust boundary violation.
Suggested Mitigation
- Restrict mounted volumes to explicit, allowlisted paths only
- Add a security configuration option that defaults to no host mounts
- Document the trust boundary implications for users who enable host mounts
- Consider using Docker's
--read-only flag where write access is unnecessary
Scanner
Found by AgentGuard v0.6.1 — open-source AI agent security scanner. OWASP ASI Top 10 compliant.
Description
The Docker code executor at
autogen_ext/code_executors/docker/_docker_code_executor.pymounts host filesystem directories into sandboxed containers without explicit trust boundary validation. This allows an agent with code execution capability to escape its container sandbox and access the host filesystem.Location
python/packages/autogen-ext/src/autogen_ext/code_executors/docker/_docker_code_executor.pyImpact
An agent utilizing this code executor can read, write, or delete files on the host system through mounted volumes, bypassing the intended sandbox isolation. This is a trust boundary violation (OWASP ASI10) where the agent's code execution scope extends beyond its designated sandbox.
Severity
CRITICAL — container escape through filesystem trust boundary violation.
Suggested Mitigation
--read-onlyflag where write access is unnecessaryScanner
Found by AgentGuard v0.6.1 — open-source AI agent security scanner. OWASP ASI Top 10 compliant.