PraisonAIAgents Environment Variable Secret Exfiltration Vulnerability

A vulnerability in PraisonAIAgents versions prior to 1.5.128 allows for the exfiltration of secrets from environment variables, such as database credentials and API keys. The issue arises because the execute_command function in shell_tools.py improperly expands environment variables in command arguments, reintroducing a shell-level variable expansion risk while claiming to execute commands securely. This vulnerability is particularly concerning in automated environments where commands are pre-approved, as it can lead to unintentional exposure of sensitive information.

Impact

Exploitation of this vulnerability allows for the unauthorized access and exfiltration of all environment variables available to the process, including sensitive information such as database URLs, cloud access keys, and API tokens. Additionally, the vulnerability creates a deceptive approval process where reviewers are misled about the actual commands being executed, undermining security oversight.

Reproduction

The vulnerability can be reproduced by setting environment variables with sensitive information, such as database URLs or API keys. After that, the PraisonAIAgents tool can be used to execute a command that references these environment variables. The approval system will display the command with the variable references intact, but once approved, the command execution will expand the variables, revealing the sensitive information. This issue is amplified in automated environments that use the 'PRAISONAI_AUTO_APPROVE' variable, bypassing human review altogether.

Remediation

Users are advised to update to PraisonAIAgents version 1.5.128 or later, where this vulnerability has been fixed.