Overview
- Adversa AI disclosed a class-level flaw called GuardFall that uses decades-old Bash parsing behaviors to turn seemingly safe text into real shell commands after an agent’s plain-text guard approves it.
- The bypass works because guards inspect raw text while Bash removes quotes, expands separators like $IFS, and reshapes arguments before executing, so filters can miss hidden tokens such as r''m that become rm at runtime.
- Adversa tested eleven popular open-source coding and computer-use agents and found ten left the structural gap open, with only the Continue project using a tokenize-and-canonicalize guard that largely prevented the payloads.
- The team demonstrated end-to-end lab exploits against the production Plandex binary and showed the attack shape worked against multiple other agents but said no public real-world exploitation has been reported.
- Short-term steps include running agents from isolated HOME directories, disabling auto-execute flags, auditing repo-shipped configs, and blocking agents on fork PRs, while the durable fix is building in-agent tokenization that evaluates the command the way Bash will run it.