AIKIDO-2026-11047
strands-agents-tools is vulnerable to Code Injection
88
High Risk
This Affects:
strands-agents-toolsTL;DR
The calculator tool passes LLM-supplied expression strings through SymPy parsing that ultimately evaluates Python code, so crafted input such as __import__('os').system(...) can execute arbitrary commands on the host running the agent. The cron tool previously wrote unsanitized schedule, command, and raw entry values directly into the user's crontab without confirmation, allowing newline injection to smuggle extra cron lines and persist malicious jobs. The use_aws tool returned boto3 responses verbatim, exposing credential and secret fields from read APIs into LLM conversation history and telemetry. Version 0.6.0 adds AST allowlisting and restricted parsing for calculator, full-line newline sanitization plus consent gating for crontab writes, and response redaction with consent prompts for credential-returning AWS operations.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
strands-agents-tools is vulnerable to Code Injection in versions 0.1.0 - 0.5.3.
How to fix this
Upgrade the strands-agents-tools library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant