CVE-2025-51472 is a code injection vulnerability identified in the TransformerOptimus SuperAGI software, specifically in the function AgentTemplate.eval_agent_config. This vulnerability arises because the software evaluates certain agent template configuration fields—such as goal, constraints, or instruction—using Python's eval() function without proper input validation or sanitization. Since eval() executes the passed string as Python code, an attacker who can supply malicious values in these configuration fields can execute arbitrary Python code remotely on the affected system. The vulnerability does not require authentication or user interaction, and it can be exploited over the network (AV:N), with low attack complexity (AC:L). The CVSS v3.1 base score is 6.5, indicating a medium severity level. The impact primarily affects confidentiality and integrity, as arbitrary code execution can lead to data leakage or unauthorized modification, but availability impact is not indicated. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. The vulnerability is classified under CWE-77, which relates to improper neutralization of special elements used in a command ('Command Injection'). This vulnerability is critical to address because it allows remote code execution without any authentication, potentially enabling attackers to fully compromise affected systems running vulnerable versions of TransformerOptimus SuperAGI 0.0.14 or similar.

For European organizations using TransformerOptimus SuperAGI, this vulnerability poses a significant risk. The ability for unauthenticated remote attackers to execute arbitrary code can lead to unauthorized access to sensitive data, manipulation of AI agent behaviors, and potential lateral movement within networks. Organizations relying on AI-driven automation or decision-making tools that incorporate SuperAGI may face data confidentiality breaches and integrity violations, undermining trust in automated processes. Additionally, compromised systems could be leveraged as footholds for further attacks, including espionage or sabotage. Given the increasing adoption of AI frameworks in sectors such as finance, healthcare, manufacturing, and critical infrastructure across Europe, the exploitation of this vulnerability could disrupt operations and violate data protection regulations like GDPR. The medium severity rating suggests that while exploitation is feasible and impactful, it may not immediately lead to full system compromise or widespread outages, but the risk remains substantial.

To mitigate this vulnerability, European organizations should first identify all instances of TransformerOptimus SuperAGI in their environments, especially version 0.0.14 or earlier if applicable. Since no official patches are currently available, organizations should implement immediate compensating controls: 1) Restrict network access to systems running SuperAGI to trusted internal networks or VPNs to reduce exposure to remote attackers. 2) Employ strict input validation and sanitization on all agent template configuration inputs before they are processed by the eval_agent_config function, ideally by disabling or replacing the use of eval() with safer parsing methods. 3) Monitor logs and system behavior for unusual activity indicative of code injection attempts. 4) Use application-layer firewalls or runtime application self-protection (RASP) tools to detect and block malicious payloads targeting configuration fields. 5) Engage with the vendor or open-source maintainers to obtain or contribute patches that remove unsafe eval() usage. 6) Implement strict role-based access controls to limit who can modify agent templates, reducing the risk of insider threats or accidental injection. 7) Conduct security reviews and code audits on AI agent configuration handling to prevent similar vulnerabilities in future versions.