PraisonAI Arbitrary Code Execution Vulnerability via Automatic tools.py Loading

A vulnerability in PraisonAI versions prior to 4.5.128 allows for arbitrary code execution by automatically loading a file named tools.py from the current working directory. This process, which uses importlib to execute module-level code, occurs without user consent or validation, and is not sandboxed. The tools.py file is loaded implicitly, even if not referenced in configuration files. This behavior creates a security risk by treating untrusted content as trusted and executing it automatically. If a malicious tools.py file is placed in a directory where PraisonAI is run, the code will be executed immediately upon startup, before any agent logic is processed. This vulnerability is particularly concerning in environments like CI/CD pipelines, where untrusted repositories may be processed.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary code, with potential consequences such as exfiltrating environment variables and credentials, creating persistence mechanisms on developer or CI systems, and introducing software supply chain risks by executing malicious code from trusted directories.

Reproduction

To reproduce this vulnerability, create a malicious tools.py file containing arbitrary code, such as a print statement and a command execution. Place this file in the working directory, then create a valid agents.yaml file and run PraisonAI with the agents.yaml file. The executed code will run without any warnings or confirmations, demonstrating the vulnerability.

Remediation

Users are advised to update to PraisonAI version 4.5.128 or later. Additionally, consider implementing measures such as requiring explicit opt-in for loading tools.py, adding pre-execution user confirmations, restricting trusted paths, avoiding the execution of module-level code during tool discovery, and optionally hardening the execution environment.