PraisonAI SubprocessSandbox Shell Escape Vulnerability

A vulnerability exists in PraisonAI versions through 4.5.96 within the SubprocessSandbox component. All sandbox modes (BASIC, STRICT, NETWORK_ISOLATED) are affected because the system calls subprocess.run() with shell=True. It relies only on string-pattern matching to block harmful commands, omitting sh or bash as standalone executables. This oversight permits a simple escape from the sandbox in STRICT mode by using sh -c '<command>'.

Impact

Exploiting this vulnerability in STRICT mode allows users to bypass OS-level isolation, accessing commands blocked by the policy (such as curl, wget, nc, and ssh) through sh -c '<blocked_command>'. This escape can be combined with agent prompt injection, enabling access to the network, filesystem, and cloud metadata services.

Reproduction

The vulnerability can be reproduced by installing PraisonAI version 4.5.87 and using the SubprocessSandbox in STRICT mode. The sandbox can be executed with a command that includes 'sh -c' followed by a blocked command, such as 'id'. The expected output will confirm the successful execution of the command, demonstrating the sandbox escape.

Remediation

Users should update to PraisonAI version 4.5.97 or later, where this vulnerability has been patched.