PraisonAI Shell Injection Vulnerability in run_python() Function Allows Arbitrary OS Command Execution

A shell injection vulnerability has been identified in the PraisonAI multi-agent teams system, specifically in versions through 1.5.89. The issue arises in the run_python() function, which constructs a shell command by interpolating user-controlled code into a Python command string and executing it with subprocess.run() using shell=True. The escaping mechanism only addresses backslashes and double quotes, leaving dollar sign and backtick substitutions unescaped. This oversight enables arbitrary operating system command execution before the Python interpreter processes the command. The vulnerability can be exploited by passing crafted code that takes advantage of the unescaped substitutions, allowing commands to be executed with the privileges of the user running the PraisonAI process.

Impact

Exploitation of this vulnerability allows for unrestricted operating system command execution, with the commands being executed as the user running the PraisonAI process. This could lead to unauthorized access, data manipulation, or other malicious activities on the system.

Reproduction

The vulnerability can be reproduced by calling the run_python() function with a code argument that includes unescaped dollar sign or backtick substitutions. For example, injecting a command that writes to a file in the /tmp directory would demonstrate the exploitation. After executing the command, the injected file can be read to verify the successful execution of the injected command.

Remediation

Users are advised to update to PraisonAI version 1.5.90 or later, where this vulnerability has been patched.