Project Ricochet's top notch developers, designers and PM’s allowed us to bring our vision of an e-commerce style class search to life. We had a tight budget and a lot of unexpected problems on the Berkeley side. Utilizing Ricochet's state of the art tracking tools and disciplined scrum approach allowed us to surmount every challenge and end up with a fantastic application. We loved the creative collaboration that allowed us to remake a boring campus class schedule into a high-octane search tool that our students and faculty love! Thank you Casey and the whole PR team!
—Johanna Metzgar

AI (Artificial Intelligence) - Critical - Remote Code Execution - SA-CONTRIB-2025-021

Wed, 2025-03-05 09:18 — Anonymous (not verified)

Project: AI (Artificial Intelligence)Date: 2025-March-05Security risk: Critical 15 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionAffected versions: <1.0.5Description: The AI Automators module (a submodule of AI) enables you to create different automated tasks that fills out field data using LLM outputs.
The module doesn't sufficiently sanitize input before passing it to the underlying shell as part of a command for execution, allowing an attacker to run arbitrary commands.
The vulnerability exists in optional Automator Types which are part of the optional AI Automators (sub)module.
The AI module is included in Drupal CMS.Solution: Install the latest version:

If you use the AI module for Drupal, upgrade to AI 1.0.5

Reported By:

Drew Webber (mcdruid) of the Drupal Security Team

Fixed By:

Marcus Johansson (marcus_johansson)
Drew Webber (mcdruid) of the Drupal Security Team
Michal Gow (seogow)

Coordinated By:

Drew Webber (mcdruid) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-021

Search form

AI (Artificial Intelligence) - Critical - Remote Code Execution - SA-CONTRIB-2025-021