PraisonAI Untrusted Remote Template Code Execution Vulnerability

A vulnerability in PraisonAI prior to version 4.5.128 allows untrusted remote template files to be treated as executable code without proper integrity verification, origin validation, or user consent. This flaw enables supply chain attacks by executing malicious code from downloaded templates, with full access to the user's environment, filesystem, and network. The issue arises when templates are fetched from remote sources, such as GitHub, and automatically executed without any safety checks or user interaction.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary code from remote templates, potentially leading to a complete compromise of the user's environment. This includes unauthorized access to sensitive data such as API keys and tokens, execution of commands with user privileges, and the possibility of establishing persistence or backdoors on the system. Such exploitation is particularly concerning in CI/CD pipelines, shared development environments, and on systems using untrusted or third-party templates.

Reproduction

To reproduce this vulnerability, install a template from a remote source like GitHub. PraisonAI will download the template's Python files, including 'tools.py', to a local cache without performing any verification or requiring user confirmation. Once the template is used, the cached 'tools.py' is automatically executed, allowing the template's code to access the user's environment and sensitive data. This can be demonstrated by creating a malicious template that exfiltrates environment variables to an external server when loaded.

Remediation

Users are advised to verify the integrity of templates before use, require user confirmation for executing remote template code, and avoid automatic execution of 'tools.py' unless explicitly enabled by the user. In the short term, templates can be run in a sandboxed environment with restricted access and only from trusted sources.