PraisonAI Recipe Registry Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability allowing arbitrary file writes has been identified in PraisonAI versions prior to 1.5.113. The issue arises in the recipe registry publish endpoint, which writes uploaded recipe bundles to a filesystem path based on the bundle's internal manifest.json. This occurs before the endpoint verifies that the manifest's name and version match the HTTP route. As a result, a malicious publisher can inject traversal sequences into the manifest, causing the server to create files outside the designated registry root. Although the request is ultimately rejected with an HTTP 400 response, the unauthorized file write has already taken place. This vulnerability affects deployments that expose the recipe registry publish functionality. If the registry is run without a token, any network client can exploit the issue. Even with a token, users with publish access can trigger the vulnerability.

Impact

Exploitation of this vulnerability allows for path traversal and arbitrary file writes on the registry host. Files can be created or overwritten outside the registry root, potentially impacting application integrity and availability.

Reproduction

To reproduce this vulnerability, upload a .praison bundle with a manifest that includes traversal sequences in the name field. Send the bundle to the recipe registry publish endpoint, ensuring that the manifest name and version do not match the URL parameters. The server will respond with a 400 error, but the injected file will be written outside the registry root, demonstrating the vulnerability.

Remediation

Users are advised to validate the 'manifest.json' name and version before any filesystem write, rejecting path separators, traversal sequences, absolute paths, and any values that do not pass the existing validation checks. Additionally, the final destination path should be resolved and checked to ensure it remains within the registry root before writing files.