Skip to content

Security: Docker code executor mounts host filesystem without trust boundary validation (ASI10) #7917

Description

@dockfixlabs

Description

The Docker code executor at autogen_ext/code_executors/docker/_docker_code_executor.py mounts host filesystem directories into sandboxed containers without explicit trust boundary validation. This allows an agent with code execution capability to escape its container sandbox and access the host filesystem.

Location

python/packages/autogen-ext/src/autogen_ext/code_executors/docker/_docker_code_executor.py

Impact

An agent utilizing this code executor can read, write, or delete files on the host system through mounted volumes, bypassing the intended sandbox isolation. This is a trust boundary violation (OWASP ASI10) where the agent's code execution scope extends beyond its designated sandbox.

Severity

CRITICAL — container escape through filesystem trust boundary violation.

Suggested Mitigation

  1. Restrict mounted volumes to explicit, allowlisted paths only
  2. Add a security configuration option that defaults to no host mounts
  3. Document the trust boundary implications for users who enable host mounts
  4. Consider using Docker's --read-only flag where write access is unnecessary

Scanner

Found by AgentGuard v0.6.1 — open-source AI agent security scanner. OWASP ASI Top 10 compliant.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions