A critical remote code execution vulnerability in Prefect allows authenticated users with deployment permissions to execute arbitrary commands on worker machines, threatening multi-tenant security.

The vulnerability exists in the GitRepository storage class, where parameters like commit_sha and directories are passed to git commands without adequate sanitization or command separators. This allows an attacker to inject git flags such as --upload-pack, which triggers the execution of external programs.

Given the CVSS score of 9.9, this vulnerability presents an extreme risk in multi-tenant environments. An attacker can break out of the intended application context to execute arbitrary code on the underlying worker infrastructure, potentially leading to lateral movement and full compromise of the shared work pool.

Immediate Action: Upgrade to the latest version of Prefect that addresses input validation in the GitRepository storage class.

Proactive Monitoring: Monitor worker machine processes for unexpected or unauthorized child processes spawned by the git binary or the Prefect agent.

Compensating Controls: Enforce strict network segmentation and apply the Principle of Least Privilege to all user accounts with deployment creation permissions.

Public Exploit Available: Unknown

This vulnerability represents a significant threat to infrastructure security. Organizations running Prefect in multi-tenant environments must prioritize upgrading to the latest version to prevent arbitrary code execution and protect worker machines from unauthorized command injection attacks.