PraisonAI Background Server Command Injection Vulnerability Allowing Sensitive Environment Variable Exposure

A vulnerability in PraisonAI versions through 4.5.117 allows the execution of user-supplied commands via the MCP (Model Context Protocol) integration. These commands are run in the background using Python's subprocess module, and by default, the entire parent process environment is forwarded to the spawned subprocess. This means that any executed MCP command inherits all environment variables from the host process, including sensitive information such as API keys, authentication tokens, and database credentials. The vulnerability arises when untrusted or third-party commands are used, particularly with package runners like npx -y, where arbitrary code from external packages could execute with access to these sensitive environment variables. This could lead to unintended credential exposure and enable supply chain attacks by silently exfiltrating secrets.

Impact

Exploitation of this vulnerability could result in the unauthorized exposure of sensitive environment variables, including API keys, authentication tokens, and database credentials, to untrusted subprocesses. This creates a risk of credential leakage to malicious MCP tools or commands, potentially leading to unauthorized access to external services or data breaches. In supply chain attack scenarios, a compromised package could exploit this vulnerability to read and exfiltrate sensitive data from the environment, including keys for services like OpenAI or Anthropic, database connection strings, and cloud credentials such as AWS access keys.

Reproduction

To reproduce this vulnerability, export a secret environment variable, such as SUPER_SECRET_KEY. Then, use an MCP command that executes a Python script via subprocess, which can read and print the environment variables. This will demonstrate the leakage of sensitive data to the untrusted command. Alternatively, a malicious MCP command could be crafted to exfiltrate the environment variables to an external server.

Remediation

Users are advised to sanitize environment variable dictionaries before passing them to subprocesses, removing sensitive API keys and tokens unless explicitly whitelisted. Additionally, a strict allowlist parameter could be implemented for variables that developers intend to pass down. Documentation should also highlight the risks of using 'npx -y' with MCP tools.