PraisonAI Flask API Unauthenticated Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PraisonAI versions prior to 4.5.128. The issue arises in the Flask API endpoint located in src/praisonai/api.py, where agent output is rendered as HTML without proper sanitization. The vulnerability exists because the _sanitize_html function depends on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. In default installations, where nh3 is absent, the sanitizer fails to operate effectively, allowing an attacker to inject arbitrary JavaScript that executes in the browser of anyone viewing the API output. This exploitation can occur through RAG data poisoning, web scraping results, or prompt injection.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can steal cookies or session tokens from users viewing the API output. Additionally, injected scripts could present fake login forms, exfiltrate data to attacker-controlled servers, or perform actions on behalf of users in the context of their browser session.

Reproduction

To reproduce this vulnerability, set up a PraisonAI instance with an agent that processes external content, such as web scraping or RAG retrieval. Ensure that the nh3 library is not installed, as this is the default setting. After starting the API, access the endpoint. The response will contain unsanitized HTML, including any injected JavaScript, which will execute in the browser.

Remediation

Users should update to PraisonAI version 4.5.128 or later, and ensure that the nh3 library is installed. Additionally, the dependency management in pyproject.toml should be updated to include nh3 as a required dependency.