Particle.news

GuardFall: Old Bash Parsing Lets Malicious Commands Slip Past AI Agent Guards

Researchers say a mismatch between text-based checks and Bash’s runtime rewriting can let agents run destructive shell commands with a developer’s account.

Overview

  • Adversa AI disclosed a class-level flaw called GuardFall that uses decades-old Bash parsing behaviors to turn seemingly safe text into real shell commands after an agent’s plain-text guard approves it.
  • The bypass works because guards inspect raw text while Bash removes quotes, expands separators like $IFS, and reshapes arguments before executing, so filters can miss hidden tokens such as r''m that become rm at runtime.
  • Adversa tested eleven popular open-source coding and computer-use agents and found ten left the structural gap open, with only the Continue project using a tokenize-and-canonicalize guard that largely prevented the payloads.
  • The team demonstrated end-to-end lab exploits against the production Plandex binary and showed the attack shape worked against multiple other agents but said no public real-world exploitation has been reported.
  • Short-term steps include running agents from isolated HOME directories, disabling auto-execute flags, auditing repo-shipped configs, and blocking agents on fork PRs, while the durable fix is building in-agent tokenization that evaluates the command the way Bash will run it.