
GuardFall bypasses blocklists in 10 of 11 AI coding agents via decades-old bash quote-stripping
GuardFall demonstrates that blocklist-based safety in open-source AI coding agents fails against standard bash rewriting, leaving 10 of 11 tools exposed to repository-triggered command execution. The flaw is systemic, not a single bug, and creates an immediate supply-chain vector for credential theft in automated pipelines. Only Continue's pre-execution tokenization provides measurable resistance.
The attack succeeds because agents inspect raw strings against dangerous-pattern lists while bash strips empty quotes, expands variables and decodes base64 before running the command. A filter that blocks rm sees r''m as benign; the shell executes rm -rf anyway. Production tests against Plandex confirmed end-to-end execution when auto-run flags were enabled and the agent ingested a malicious repository file or build instruction. No CVE exists because the root issue is architectural: text matching versus actual shell semantics.
This pattern repeats across the 548000-star ecosystem because every agent except Continue reused the same shortcut of regex blocklists instead of tokenizing like bash. Hermes issue tracker documented the initial vector; the remaining tools replicated the flaw under identical conditions. The supply-chain exposure is direct: a single poisoned .aider.conf.yml or PR from a fork reaches full user privileges once the agent auto-executes.
Continue's defense tokenizes first, then applies a hard destructive-command block, surviving all Adversa payloads in editor mode. Re-implementing equivalent parsing requires roughly two engineer-days. Until then, exposure is reduced only by isolating $HOME, disabling auto-execute, and treating repository config as untrusted code.
Next milestone is whether maintainers adopt shell-aware guards or continue shipping agents that treat the interpreter as a safe black box.
Continue: 60% of the listed agents will ship bash-tokenizing guards by Q4 2026 or lose default auto-run support
Sources (3)
- [1]Primary Source(https://thehackernews.com/2026/06/guardfall-exposes-open-source-ai-coding.html)
- [2]Supporting Source(https://github.com/hermes-ai/hermes/issues/312)
- [3]Supporting Source(https://adversa.ai/research/guardfall)