PraisonAI Remote Code Execution Vulnerability via Unsafe YAML Deserialization

A remote code execution vulnerability exists in PraisonAI versions prior to 4.5.115. The issue arises in the AgentService.loadAgentFromFile method, which uses the js-yaml library to parse YAML files without disabling dangerous tags, such as !!js/function and !!js/undefined. This oversight allows an attacker to create a malicious YAML file that executes arbitrary JavaScript code when parsed. Exploitation involves uploading a harmful agent definition file through the API, leading to unauthorized code execution on the server.

Impact

Successful exploitation allows for arbitrary code execution on the server, potentially leading to a complete server compromise, data theft, or further network infiltration.

Reproduction

To reproduce this vulnerability, upload a malicious YAML file as an agent definition via the API endpoint that triggers the AgentService.loadAgentFromFile method. The uploaded file can contain a payload, such as a JavaScript function that executes a command on the server. Once the agent is loaded, the payload will be executed, demonstrating the remote code execution vulnerability.

Remediation

Users are advised to update to PraisonAI version 4.5.115 or later. Additionally, the YAML deserialization process should be reviewed to ensure that only safe schemas are used, and all user input, especially file uploads, is validated and sanitized.