PraisonAI AST-Based Python Sandbox Bypass Vulnerability Allowing Arbitrary Code Execution

A vulnerability exists in PraisonAI versions prior to 4.5.128, where the AST-based Python sandbox can be bypassed, leading to arbitrary code execution when untrusted agent code is executed. The issue arises in the '_execute_code_direct' function within 'praisonaiagents/tools/python_tools.py', which attempts to filter out dangerous Python attributes like '__subclasses__', '__globals__', and '__bases__'. However, the filtering only applies to 'ast.Attribute' nodes, leaving a loophole. The sandbox's reliance on AST filtering of attribute access fails to consider dynamic resolution through built-in methods such as 'type.getattribute', resulting in inadequate security enforcement. Consequently, attributes like '__subclasses__' can be accessed and exploited to escape the sandbox and execute malicious code.

Impact

Exploiting this vulnerability allows attackers to break out of the intended Python sandbox and execute arbitrary code with the privileges of the host process. This could lead to full system compromise, data exfiltration, and potential lateral movement within the infrastructure, especially in environments that run untrusted code, such as multi-tenant agent platforms or CI/CD pipelines.

Reproduction

The vulnerability can be reproduced by executing untrusted agent code that accesses blocked attributes through the 'type.__getattribute__' method. This bypasses the AST filtering intended to prevent such access. The proof of concept demonstrates how to exploit the vulnerability by retrieving sensitive information and executing commands on the system.

Remediation

Users should update PraisonAI to version 4.5.128 or later, where this vulnerability has been patched.