PraisonAI Template Injection Vulnerability in Agent Tool Definitions

A template injection vulnerability has been identified in PraisonAI versions prior to 4.5.115. The issue arises in the create_agent_centric_tools() function, which returns tools that process file content using template rendering. When user input from agent.start() is directly passed into these tools without proper escaping, template expressions are executed instead of being treated as plain text. This vulnerability allows for arbitrary code execution by injecting malicious template expressions through agent instructions, exploiting the lack of input sanitization and context-aware escaping in the tools.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system with the privileges of the running process. This could lead to data theft, deployment of ransomware, or lateral movement within a network.

Reproduction

To reproduce this vulnerability, use an agent instruction that includes a template expression, such as one that executes a system command. The expression will be processed and executed instead of being treated as literal text, confirming successful exploitation.

Remediation

Users are advised to update to PraisonAI version 4.5.115 or later. Additionally, implement input sanitization to validate file content, apply contextual escaping to template syntax in user input, restrict template execution environments using secure evaluation modes, and require manual approval for file creation operations in production.