PraisonAI execute_code() Sandbox Bypass Vulnerability Leading to Arbitrary OS Command Execution

A vulnerability in PraisonAI versions prior to 1.5.90 allows for arbitrary OS command execution by bypassing a three-layer sandbox in the execute_code() function of the praisonai-agents package. This is achieved by passing a string subclass with a modified startswith() method to the _safe_getattr wrapper, enabling execution of attacker-controlled Python code on the host.

Impact

Exploitation of this vulnerability allows for full OS command execution as the process user. In deployments using bot.py, autonomy_mode.py, or bots_cli.py, the PRAISONAI_AUTO_APPROVE variable is set to true by default, enabling silent execution without human confirmation when triggered through indirect prompt injection.

Reproduction

The vulnerability can be reproduced by creating a string subclass that overrides the startswith() method to return false. This subclass can then be passed to the _safe_getattr function, which will accept it due to the isinstance check. Once the subclass is accepted, its methods can be used to access the Popen class from the subprocess module, allowing for the execution of arbitrary commands on the host.

Remediation

Users should update to PraisonAI version 1.5.90 or later.