PraisonAI Command Injection Vulnerability in Workflow and Shell Execution
Vulnerability
A command injection vulnerability has been identified in PraisonAI versions prior to 4.5.121. The issue arises because the execute_command function and workflow shell executions are vulnerable to user-controlled input. This input can be injected through agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to execute arbitrary shell commands by exploiting shell metacharacters. The vulnerability is rooted in the default use of 'subprocess.run()' with 'shell=True', which enables the execution of unintended commands by interpreting metacharacters such as ';', '|', '&&', and '$()'.
Impact
Exploitation of this vulnerability allows for the execution of arbitrary shell commands with user privileges, potentially leading to unauthorized access to sensitive files, data exfiltration, modification or deletion of system files, and execution of malicious scripts. In automated environments, such as CI/CD pipelines, these actions could be performed without user awareness, resulting in a complete system compromise.
Reproduction
The vulnerability can be reproduced by creating a malicious YAML workflow file that includes injected commands in the 'target' field, which is executed by PraisonAI's workflow system. Alternatively, the injection can be done through the 'agents.yaml' configuration file by specifying shell commands that exfiltrate data, such as private SSH keys. The command injection can also be executed directly via the PraisonAI API by calling the 'execute_command' function with malicious input that exploits the 'shell=True' default. Another reproduction method involves prompting an LLM to generate tool calls with injected commands, which are then executed with the same shell vulnerability.
Remediation
Users are advised to update to PraisonAI version 4.5.121 or later, where this vulnerability has been fixed. Additionally, review and sanitize any user-controlled input in workflows and agent configurations to prevent command injection.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.