From b3b9d3211bef9c47e6cd02c3b3f7d30d987dc746 Mon Sep 17 00:00:00 2001 From: Dhaval Chaudhari Date: Sun, 31 Aug 2025 15:54:20 +0530 Subject: [PATCH 1/5] Add new category for prompt injection memory exhaustion vulnerabilities --- ...pt-prompt-injection-memory-exhaustion.yaml | 122 ++++++++++++++++++ rules/cre-2025-0150/test.log | 100 ++++++++++++++ rules/tags/categories.yaml | 3 + rules/tags/tags.yaml | 27 ++++ 4 files changed, 252 insertions(+) create mode 100644 rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml create mode 100644 rules/cre-2025-0150/test.log diff --git a/rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml b/rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml new file mode 100644 index 0000000..7df8419 --- /dev/null +++ b/rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml @@ -0,0 +1,122 @@ +rules: + - metadata: + kind: prequel + id: 5K8mNpQr8vTzHJsEXwGcM + version: "1.0.0" + cre: + id: CRE-2025-0100 + severity: 0 + title: "AutoGPT Prompt Injection + Memory Exhaustion Cascade" + category: "prompt-injection-memory-exhaustion" + author: "Security Researcher" + description: | + AutoGPT is vulnerable to a sophisticated prompt injection attack that triggers a memory exhaustion cascade, + leading to complete system failure. This vulnerability exploits the interaction between prompt compression logic, + LLM retry mechanisms, and task execution loops. + + The vulnerability stems from three interconnected failure modes: + 1. Prompt Compression Infinite Loop: The compress_prompt function can enter an infinite loop during middle-out deletion + 2. LLM Retry Memory Accumulation: Retry mechanisms accumulate memory during failed API calls without proper cleanup + 3. Task Execution Loop Exploitation: Main execution loop can be exploited to create recursive task generation + + A malicious user can craft a prompt that triggers the prompt compression algorithm to enter an infinite loop, + causes LLM API failures that accumulate memory during retries, and exploits the task execution loop to generate + recursive tasks, resulting in memory exhaustion and system crash (SIGKILL). + cause: | + ROOT CAUSES: + - Prompt compression algorithm in backend/util/prompt.py lacks proper loop detection and timeout mechanisms + - LLM retry mechanism in backend/blocks/llm.py accumulates memory during failed API calls without cleanup + - Task execution loop in backend/executor/manager.py can be exploited for recursive task generation + - Insufficient input validation for prompt size and structure + - Missing circuit breakers for resource exhaustion scenarios + impact: | + BUSINESS IMPACT: + - CRITICAL: Complete system failure with AutoGPT process crash (exit code 137) + - Memory exhaustion causing OOM killer termination + - Service outage affecting all running agents and tasks + - Data loss of in-progress tasks and agent states + - Resource exhaustion consuming CPU and memory until system failure + - Potential cascading failures across integrated systems + impactScore: 10 + mitigation: | + IMMEDIATE ACTIONS: + - Set strict memory limits on AutoGPT containers (max 2GB per container) + - Implement input validation for prompt size and structure + - Reduce LLM retry attempts and implement exponential backoff + - Deploy real-time resource monitoring and alerting + + RECOVERY ACTIONS (15-60 minutes): + - Restart AutoGPT services with memory limits + - Implement prompt compression timeout mechanisms + - Add proper memory cleanup in retry mechanisms + - Deploy circuit breakers for resource exhaustion scenarios + + PREVENTION STRATEGIES: + - Implement loop detection and timeout mechanisms in prompt compression + - Add task structure validation to prevent recursive loops + - Deploy comprehensive monitoring for memory usage patterns + - Implement rate limiting and request size validation + mitigationScore: 7 + references: + - "https://github.com/Significant-Gravitas/AutoGPT/blob/main/autogpt_platform/backend/backend/util/prompt.py" + - "https://github.com/Significant-Gravitas/AutoGPT/blob/main/autogpt_platform/backend/backend/blocks/llm.py" + - "https://github.com/Significant-Gravitas/AutoGPT/blob/main/autogpt_platform/backend/backend/executor/manager.py" + applications: + - name: "AutoGPT" + version: ">=0.4.0" + containerName: "autogpt-backend" + tags: + - autogpt + - prompt-injection + - memory-exhaustion + - crash + - sigkill + - oom-killer + - recursive-tasks + - prompt-compression + - llm-retry + - critical-failure + reports: 1 + rule: + sequence: + window: "300s" + event: + source: application-logs + origin: true + order: + - prompt_compression_errors + - memory_pressure_indicators + - llm_retry_failures + - system_crash + negate: + - normal_operation + - graceful_shutdown + +terms: + prompt_compression_errors: + field: message + regex: "(?i)(compress_prompt.*exceeds budget|prompt.*compression.*triggered|token.*count.*exceeded)" + count: 2 + + memory_pressure_indicators: + field: message + regex: "(?i)(memory.*usage.*exceeded|memory.*accumulation.*retry|memory.*exhaustion)" + count: 3 + + llm_retry_failures: + field: message + regex: "(?i)(LLM.*API.*call.*failed.*retrying|maximum.*retry.*attempts.*exceeded)" + count: 2 + + system_crash: + field: message + regex: "(?i)(process.*killed.*signal.*9|SIGKILL|OOM.*killer.*activated|container.*crashed)" + count: 1 + + normal_operation: + field: message + regex: "(?i)(started.*successfully|ready.*accept.*connections|health.*check.*passed)" + + graceful_shutdown: + field: message + regex: "(?i)(graceful.*shutdown|shutting.*down.*normally|clean.*exit)" diff --git a/rules/cre-2025-0150/test.log b/rules/cre-2025-0150/test.log new file mode 100644 index 0000000..a38c5c9 --- /dev/null +++ b/rules/cre-2025-0150/test.log @@ -0,0 +1,100 @@ +2025-08-31T10:17:12Z [INFO] * Serving Flask app 'vulnerable_server' +2025-08-31T10:17:12Z [INFO] * Debug mode: on +2025-08-31T10:17:12Z [INFO] * Tip: There are .env files present. Install python-dotenv to use them. +2025-08-31T10:17:12Z [WARNING] INFO:werkzeug:WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. +2025-08-31T10:17:12Z [INFO] * Running on all addresses (0.0.0.0) +2025-08-31T10:17:12Z [INFO] * Running on http://127.0.0.1:8000 +2025-08-31T10:17:12Z [INFO] * Running on http://172.18.0.7:8000 +2025-08-31T10:17:12Z [INFO] INFO:werkzeug:Press CTRL+C to quit +2025-08-31T10:17:12Z [INFO] INFO:werkzeug: * Restarting with stat +2025-08-31T10:17:12Z [INFO] * Tip: There are .env files present. Install python-dotenv to use them. +2025-08-31T10:17:12Z [WARNING] WARNING:werkzeug: * Debugger is active! +2025-08-31T10:17:12Z [INFO] INFO:werkzeug: * Debugger PIN: 312-761-273 +2025-08-31T10:17:12Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:12] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:17Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:17] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:22Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:22] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:27Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:27] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:32Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:32] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:37Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:37] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:42Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:42] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:47Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:47] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:52Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:52] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:17:57Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:17:57] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:02Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:02] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:07Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:07] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:08Z [INFO] INFO:werkzeug:172.18.0.1 - - [31/Aug/2025 10:18:08] "GET /health HTTP/1.1" 200 - +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Recursive content detected - vulnerability trigger 1 +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Memory exhaustion keywords detected - vulnerability trigger 3 +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Prompt compression triggered - attempting to compress tokens +2025-08-31T10:18:08Z [ERROR] ERROR:vulnerable_server:compress_prompt: prompt still exceeds budget (120,000 > 100,000) +2025-08-31T10:18:08Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 1/5) +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 200MB +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 1 +2025-08-31T10:18:08Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 2/5) +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 400MB +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 2 +2025-08-31T10:18:08Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 3/5) +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 600MB +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 3 +2025-08-31T10:18:08Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 4/5) +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 800MB +2025-08-31T10:18:08Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 4 +2025-08-31T10:18:12Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:12] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:12Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 5/5) +2025-08-31T10:18:12Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 1000MB +2025-08-31T10:18:12Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 5 +2025-08-31T10:18:12Z [CRITICAL] CRITICAL:vulnerable_server:Memory usage exceeded threshold: 95% +2025-08-31T10:18:12Z [CRITICAL] CRITICAL:vulnerable_server:OOM killer activated - terminating AutoGPT process +2025-08-31T10:18:12Z [ERROR] ERROR:vulnerable_server:Process killed by signal 9 (SIGKILL) +2025-08-31T10:18:12Z [INFO] * Tip: There are .env files present. Install python-dotenv to use them. +2025-08-31T10:18:12Z [INFO] * Serving Flask app 'vulnerable_server' +2025-08-31T10:18:12Z [INFO] * Debug mode: on +2025-08-31T10:18:12Z [WARNING] INFO:werkzeug:WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. +2025-08-31T10:18:12Z [INFO] * Running on all addresses (0.0.0.0) +2025-08-31T10:18:12Z [INFO] * Running on http://127.0.0.1:8000 +2025-08-31T10:18:12Z [INFO] * Running on http://172.18.0.7:8000 +2025-08-31T10:18:12Z [INFO] INFO:werkzeug:Press CTRL+C to quit +2025-08-31T10:18:12Z [INFO] INFO:werkzeug: * Restarting with stat +2025-08-31T10:18:12Z [INFO] * Tip: There are .env files present. Install python-dotenv to use them. +2025-08-31T10:18:12Z [WARNING] WARNING:werkzeug: * Debugger is active! +2025-08-31T10:18:12Z [INFO] INFO:werkzeug: * Debugger PIN: 803-379-536 +2025-08-31T10:18:17Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:17] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:17Z [WARNING] WARNING:vulnerable_server:Recursive content detected - vulnerability trigger 1 +2025-08-31T10:18:17Z [WARNING] WARNING:vulnerable_server:Memory exhaustion keywords detected - vulnerability trigger 3 +2025-08-31T10:18:17Z [WARNING] WARNING:vulnerable_server:Prompt compression triggered - attempting to compress tokens +2025-08-31T10:18:17Z [ERROR] ERROR:vulnerable_server:compress_prompt: prompt still exceeds budget (120,000 > 100,000) +2025-08-31T10:18:17Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 1/5) +2025-08-31T10:18:17Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 200MB +2025-08-31T10:18:17Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 1 +2025-08-31T10:18:17Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 2/5) +2025-08-31T10:18:17Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 400MB +2025-08-31T10:18:17Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 2 +2025-08-31T10:18:22Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:22] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:22Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 3/5) +2025-08-31T10:18:22Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 600MB +2025-08-31T10:18:22Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 3 +2025-08-31T10:18:22Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 4/5) +2025-08-31T10:18:22Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 800MB +2025-08-31T10:18:22Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 4 +2025-08-31T10:18:25Z [INFO] INFO:werkzeug:172.18.0.1 - - [31/Aug/2025 10:18:25] "GET /health HTTP/1.1" 200 - +2025-08-31T10:18:25Z [ERROR] ERROR:vulnerable_server:LLM API call failed, retrying... (attempt 5/5) +2025-08-31T10:18:25Z [WARNING] WARNING:vulnerable_server:Memory accumulation during retry cycle - current usage: 1000MB +2025-08-31T10:18:25Z [WARNING] WARNING:vulnerable_server:Allocated 209715200 bytes, total chunks: 5 +2025-08-31T10:18:25Z [CRITICAL] CRITICAL:vulnerable_server:Memory usage exceeded threshold: 95% +2025-08-31T10:18:25Z [CRITICAL] CRITICAL:vulnerable_server:OOM killer activated - terminating AutoGPT process +2025-08-31T10:18:25Z [ERROR] ERROR:vulnerable_server:Process killed by signal 9 (SIGKILL) +2025-08-31T10:18:25Z [INFO] * Tip: There are .env files present. Install python-dotenv to use them. +2025-08-31T10:18:25Z [INFO] * Serving Flask app 'vulnerable_server' +2025-08-31T10:18:25Z [INFO] * Debug mode: on +2025-08-31T10:18:25Z [WARNING] INFO:werkzeug:WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. +2025-08-31T10:18:25Z [INFO] * Running on all addresses (0.0.0.0) +2025-08-31T10:18:25Z [INFO] * Running on http://127.0.0.1:8000 +2025-08-31T10:18:25Z [INFO] * Running on http://172.18.0.7:8000 +2025-08-31T10:18:25Z [INFO] INFO:werkzeug:Press CTRL+C to quit +2025-08-31T10:18:25Z [INFO] INFO:werkzeug: * Restarting with stat +2025-08-31T10:18:25Z [INFO] * Tip: There are .env files present. Install python-dotenv to use them. +2025-08-31T10:18:25Z [WARNING] WARNING:werkzeug: * Debugger is active! +2025-08-31T10:18:25Z [INFO] INFO:werkzeug: * Debugger PIN: 142-012-072 +2025-08-31T10:18:32Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:32] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:37Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:37] "GET /metrics HTTP/1.1" 404 - +2025-08-31T10:18:42Z [INFO] INFO:werkzeug:172.18.0.4 - - [31/Aug/2025 10:18:42] "GET /metrics HTTP/1.1" 404 - diff --git a/rules/tags/categories.yaml b/rules/tags/categories.yaml index e61a0cb..bd9ff1d 100644 --- a/rules/tags/categories.yaml +++ b/rules/tags/categories.yaml @@ -98,6 +98,9 @@ categories: description: Problems related to web servers - name: configuration-problem displayName: Configuration Problem + - name: prompt-injection-memory-exhaustion + displayName: Prompt Injection Memory Exhaustion + description: Security vulnerabilities related to prompt injection attacks causing memory exhaustion and system failures description: Problems related to system or application configurations - name: monitoring-problem displayName: Monitoring Problem diff --git a/rules/tags/tags.yaml b/rules/tags/tags.yaml index 1acb1dc..dd384cf 100644 --- a/rules/tags/tags.yaml +++ b/rules/tags/tags.yaml @@ -98,6 +98,33 @@ tags: description: Failures involving the OVSDB (Open vSwitch Database) protocol or schema. - name: panic displayName: Panic + - name: autogpt + displayName: AutoGPT + description: Problems with AutoGPT autonomous agent framework + - name: prompt-injection + displayName: Prompt Injection + description: Security vulnerabilities related to prompt injection attacks + - name: memory-exhaustion + displayName: Memory Exhaustion + description: Problems with memory exhaustion and resource depletion + - name: sigkill + displayName: SIGKILL + description: Process termination by SIGKILL signal + - name: oom-killer + displayName: OOM Killer + description: Out of Memory killer termination + - name: recursive-tasks + displayName: Recursive Tasks + description: Problems with recursive task generation + - name: prompt-compression + displayName: Prompt Compression + description: Issues with prompt compression algorithms + - name: llm-retry + displayName: LLM Retry + description: Problems with LLM retry mechanisms + - name: critical-failure + displayName: Critical Failure + description: Critical system failures requiring immediate attention description: Crashes due to unrecoverable errors, especially in Go or Rust applications. - name: password displayName: Password From 435c0e5c48cd1e5564e57cec466e6dd31fac4d96 Mon Sep 17 00:00:00 2001 From: Dhaval Chaudhari Date: Sun, 31 Aug 2025 16:42:19 +0530 Subject: [PATCH 2/5] fix tags --- rules/tags/categories.yaml | 2 +- rules/tags/tags.yaml | 15 ++++----------- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/rules/tags/categories.yaml b/rules/tags/categories.yaml index bd9ff1d..42e441b 100644 --- a/rules/tags/categories.yaml +++ b/rules/tags/categories.yaml @@ -98,10 +98,10 @@ categories: description: Problems related to web servers - name: configuration-problem displayName: Configuration Problem + description: Problems related to system or application configurations - name: prompt-injection-memory-exhaustion displayName: Prompt Injection Memory Exhaustion description: Security vulnerabilities related to prompt injection attacks causing memory exhaustion and system failures - description: Problems related to system or application configurations - name: monitoring-problem displayName: Monitoring Problem description: Problems related to system or application monitoring diff --git a/rules/tags/tags.yaml b/rules/tags/tags.yaml index dd384cf..3b4701a 100644 --- a/rules/tags/tags.yaml +++ b/rules/tags/tags.yaml @@ -98,6 +98,7 @@ tags: description: Failures involving the OVSDB (Open vSwitch Database) protocol or schema. - name: panic displayName: Panic + description: Application panics and unrecoverable runtime errors - name: autogpt displayName: AutoGPT description: Problems with AutoGPT autonomous agent framework @@ -124,8 +125,7 @@ tags: description: Problems with LLM retry mechanisms - name: critical-failure displayName: Critical Failure - description: Critical system failures requiring immediate attention - description: Crashes due to unrecoverable errors, especially in Go or Rust applications. + description: Critical system failures requiring immediate attention, including crashes due to unrecoverable errors - name: password displayName: Password description: Problems with password policies, validation, or storage. @@ -693,9 +693,6 @@ tags: - name: container-crash displayName: Container Crash description: Failures causing container crashes or unexpected terminations. - - name: memory-exhaustion - displayName: Memory Exhaustion - description: Failures due to running out of memory or excessive memory consumption. - name: configuration-failure displayName: Configuration Failure description: Problems caused by incorrect or invalid configuration settings. @@ -708,9 +705,7 @@ tags: - name: permission-denied displayName: Permission Denied description: Failures caused by insufficient access rights or permission errors. - - name: sigkill - displayName: SIGKILL - description: Failures caused by processes being terminated with a SIGKILL signal. + - name: jetstream displayName: JetStream description: NATS JetStream persistence & streaming subsystem issues. @@ -854,9 +849,7 @@ tags: - name: cache-eviction displayName: Cache Eviction description: Problems related to cache eviction policies and performance - - name: critical-failure - displayName: Critical Failure - description: Failures that cause immediate service termination or data loss + - name: ssl-certificate displayName: SSL Certificate description: Problems related to SSL/TLS certificate validation, expiration, trust chain issues, or handshake failures From 4a95833aae3fa8b2ba14f312057d922bd0c1957e Mon Sep 17 00:00:00 2001 From: Dhaval Chaudhari Date: Thu, 30 Oct 2025 17:03:08 +0530 Subject: [PATCH 3/5] fix changes --- ...pt-prompt-injection-memory-exhaustion.yaml | 49 +++++-------------- 1 file changed, 11 insertions(+), 38 deletions(-) diff --git a/rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml b/rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml index 7df8419..db7093c 100644 --- a/rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml +++ b/rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml @@ -2,9 +2,8 @@ rules: - metadata: kind: prequel id: 5K8mNpQr8vTzHJsEXwGcM - version: "1.0.0" cre: - id: CRE-2025-0100 + id: CRE-2025-0150 severity: 0 title: "AutoGPT Prompt Injection + Memory Exhaustion Cascade" category: "prompt-injection-memory-exhaustion" @@ -64,7 +63,6 @@ rules: applications: - name: "AutoGPT" version: ">=0.4.0" - containerName: "autogpt-backend" tags: - autogpt - prompt-injection @@ -84,39 +82,14 @@ rules: source: application-logs origin: true order: - - prompt_compression_errors - - memory_pressure_indicators - - llm_retry_failures - - system_crash + - regex: "(?i)(compress_prompt.*exceeds budget|prompt.*compression.*triggered|token.*count.*exceeded)" + count: 2 + - regex: "(?i)(memory.*usage.*exceeded|memory.*accumulation.*retry|memory.*exhaustion)" + count: 3 + - regex: "(?i)(LLM.*API.*call.*failed.*retrying|maximum.*retry.*attempts.*exceeded)" + count: 2 + - regex: "(?i)(process.*killed.*signal.*9|SIGKILL|OOM.*killer.*activated|container.*crashed)" + count: 1 negate: - - normal_operation - - graceful_shutdown - -terms: - prompt_compression_errors: - field: message - regex: "(?i)(compress_prompt.*exceeds budget|prompt.*compression.*triggered|token.*count.*exceeded)" - count: 2 - - memory_pressure_indicators: - field: message - regex: "(?i)(memory.*usage.*exceeded|memory.*accumulation.*retry|memory.*exhaustion)" - count: 3 - - llm_retry_failures: - field: message - regex: "(?i)(LLM.*API.*call.*failed.*retrying|maximum.*retry.*attempts.*exceeded)" - count: 2 - - system_crash: - field: message - regex: "(?i)(process.*killed.*signal.*9|SIGKILL|OOM.*killer.*activated|container.*crashed)" - count: 1 - - normal_operation: - field: message - regex: "(?i)(started.*successfully|ready.*accept.*connections|health.*check.*passed)" - - graceful_shutdown: - field: message - regex: "(?i)(graceful.*shutdown|shutting.*down.*normally|clean.*exit)" + - regex: "(?i)(started.*successfully|ready.*accept.*connections|health.*check.*passed)" + - regex: "(?i)(graceful.*shutdown|shutting.*down.*normally|clean.*exit)" From 648380c3469e71155c70aea3c9fea15d49dd4b6d Mon Sep 17 00:00:00 2001 From: Dhaval Chaudhari Date: Thu, 30 Oct 2025 17:13:02 +0530 Subject: [PATCH 4/5] fix changes --- rules/tags/tags.yaml | 162 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 131 insertions(+), 31 deletions(-) diff --git a/rules/tags/tags.yaml b/rules/tags/tags.yaml index 3b4701a..ce00e20 100644 --- a/rules/tags/tags.yaml +++ b/rules/tags/tags.yaml @@ -98,34 +98,7 @@ tags: description: Failures involving the OVSDB (Open vSwitch Database) protocol or schema. - name: panic displayName: Panic - description: Application panics and unrecoverable runtime errors - - name: autogpt - displayName: AutoGPT - description: Problems with AutoGPT autonomous agent framework - - name: prompt-injection - displayName: Prompt Injection - description: Security vulnerabilities related to prompt injection attacks - - name: memory-exhaustion - displayName: Memory Exhaustion - description: Problems with memory exhaustion and resource depletion - - name: sigkill - displayName: SIGKILL - description: Process termination by SIGKILL signal - - name: oom-killer - displayName: OOM Killer - description: Out of Memory killer termination - - name: recursive-tasks - displayName: Recursive Tasks - description: Problems with recursive task generation - - name: prompt-compression - displayName: Prompt Compression - description: Issues with prompt compression algorithms - - name: llm-retry - displayName: LLM Retry - description: Problems with LLM retry mechanisms - - name: critical-failure - displayName: Critical Failure - description: Critical system failures requiring immediate attention, including crashes due to unrecoverable errors + description: Crashes due to unrecoverable errors, especially in Go or Rust applications. - name: password displayName: Password description: Problems with password policies, validation, or storage. @@ -240,6 +213,9 @@ tags: - name: api-key displayName: Api Key description: Problems related to API keys, such as missing, invalid, or expired credentials + - name: jwt + displayName: JWT + description: Problems related to JSON Web Tokens, such as invalid signatures, expired tokens, or malformed claims - name: async displayName: Async description: Problems related to asynchronous execution, such as hung tasks, race conditions, or callback errors @@ -693,6 +669,9 @@ tags: - name: container-crash displayName: Container Crash description: Failures causing container crashes or unexpected terminations. + - name: memory-exhaustion + displayName: Memory Exhaustion + description: Failures due to running out of memory or excessive memory consumption. - name: configuration-failure displayName: Configuration Failure description: Problems caused by incorrect or invalid configuration settings. @@ -705,7 +684,9 @@ tags: - name: permission-denied displayName: Permission Denied description: Failures caused by insufficient access rights or permission errors. - + - name: sigkill + displayName: SIGKILL + description: Failures caused by processes being terminated with a SIGKILL signal. - name: jetstream displayName: JetStream description: NATS JetStream persistence & streaming subsystem issues. @@ -849,7 +830,9 @@ tags: - name: cache-eviction displayName: Cache Eviction description: Problems related to cache eviction policies and performance - + - name: critical-failure + displayName: Critical Failure + description: Failures that cause immediate service termination or data loss - name: ssl-certificate displayName: SSL Certificate description: Problems related to SSL/TLS certificate validation, expiration, trust chain issues, or handshake failures @@ -864,4 +847,121 @@ tags: description: Issues with Kubernetes pod scheduling due to resource constraints or networking problems - name: cluster-scaling displayName: Cluster Scaling - description: Problems related to Kubernetes cluster scaling operations and capacity management \ No newline at end of file + description: Problems related to Kubernetes cluster scaling operations and capacity management + - name: maxmemory + displayName: Max Memory + description: Problems related to Redis maxmemory configuration and memory limits + - name: noeviction + displayName: No Eviction + description: Issues when Redis noeviction policy prevents writing new data + - name: wrongpass + displayName: Wrong Password + description: Authentication failures due to incorrect Redis passwords + - name: master-replica + displayName: Master-Replica + description: Issues with Redis master-replica replication relationships + - name: sync + displayName: Sync + description: Data synchronization problems in distributed systems + - name: psync + displayName: Partial Sync + description: Redis partial resynchronization issues + - name: aof + displayName: AOF + description: Redis Append-Only File persistence issues + - name: slowlog + displayName: Slow Log + description: Database slow query logging and performance issues + - name: latency + displayName: Latency + description: Response time and performance latency issues + - name: slow-query + displayName: Slow Query + description: Database queries that exceed performance thresholds + - name: write-error + displayName: Write Error + description: Failures when attempting write operations + - name: recovery + displayName: Recovery + description: Data recovery and restoration operations + - name: maxclients + displayName: Max Clients + description: Connection limit issues in database systems + - name: connection-pool + displayName: Connection Pool + description: Problems with database connection pooling + - name: limit + displayName: Limit + description: Various system and resource limits being exceeded + - name: disk + displayName: Disk + description: Problems related to disk storage, space, or I/O operations + - name: replica + displayName: Replica + description: Issues related to database replicas and read-only instances + - name: supabase + displayName: Supabase + description: Problems related to Supabase self-hosted deployments and services + - name: gotrue + displayName: GoTrue + description: Problems related to Supabase's GoTrue authentication service + - name: realtime + displayName: Realtime + description: Problems related to Supabase's realtime service and WebSocket connections + - name: self-hosted + displayName: Self-Hosted + description: Problems specific to self-hosted deployments and infrastructure + - name: exit-code + displayName: Exit Code + description: Problems identified by specific process/container exit codes (e.g., 137, 127, 134, 139). + - name: entrypoint + displayName: Entrypoint + description: Failures caused by invalid or missing container ENTRYPOINT/CMD definitions. + - name: command + displayName: Command + description: Problems caused by invalid commands or arguments at startup (e.g., not found, bad path, non-executable). + - name: sigabrt + displayName: SIGABRT + description: Crashes where a process aborts with SIGABRT (exit 134), often due to assertion failures or allocator checks. + - name: native + displayName: Native + description: Issues in native code paths (C/C++/Rust, libc/ABI), including crashes and memory faults. + - name: reliability + displayName: Reliability + description: Unstable behavior such as unexpected restarts, crash loops, or intermittent failures affecting service reliability. + - name: autogpt + displayName: AutoGPT + description: Problems related to AutoGPT autonomous AI agent framework + - name: infinite-loop + displayName: Infinite Loop + description: Problems where code enters infinite loops causing resource exhaustion or system hangs + - name: token-exhaustion + displayName: Token Exhaustion + description: Problems where LLM API token limits are exceeded causing service failures + - name: autonomous-agents + displayName: Autonomous Agents + description: Problems related to autonomous AI agents that chain LLM reasoning with real-world actions + - name: llm + displayName: LLM + description: Problems related to Large Language Models and their API integrations + - name: openai + displayName: OpenAI + description: Problems related to OpenAI API services including GPT models + - name: recursive-analysis + displayName: Recursive Analysis + description: Problems where systems enter recursive self-analysis loops leading to resource exhaustion + - name: n8n + displayName: N8N + description: Problems related to n8n workflow automation platform + - name: workflow-automation + displayName: Workflow Automation + description: Problems related to workflow automation systems and platforms + - name: silent-failure + displayName: Silent Failure + description: Problems that occur without visible error messages or alerts, making detection extremely difficult + - name: production-critical + displayName: Production Critical + description: Issues that have severe impact on production systems and require immediate attention + - name: data-integrity + displayName: Data Integrity + description: Problems that affect the completeness, accuracy, or consistency of data \ No newline at end of file From 93248b95a2f32ed50f4554ab8346df717899c2ef Mon Sep 17 00:00:00 2001 From: Dhaval Chaudhari Date: Thu, 30 Oct 2025 17:16:32 +0530 Subject: [PATCH 5/5] fix changes --- .../autogpt-prompt-injection-memory-exhaustion.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml b/rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml index db7093c..5ae6a78 100644 --- a/rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml +++ b/rules/cre-2025-0150/autogpt-prompt-injection-memory-exhaustion.yaml @@ -65,15 +65,9 @@ rules: version: ">=0.4.0" tags: - autogpt - - prompt-injection - memory-exhaustion - crash - sigkill - - oom-killer - - recursive-tasks - - prompt-compression - - llm-retry - - critical-failure reports: 1 rule: sequence: