PraisonAI Arbitrary Code Execution Vulnerability via Unsanitized tools.py Import

A vulnerability allowing arbitrary code execution has been identified in PraisonAI versions 4.5.138 and prior. The issue arises from the automatic import of a tools.py file from the current working directory, without proper validation or user confirmation. This unsanitized import occurs in several components, including call.py and tool_resolver.py, as well as through CLI tool-loading paths. An attacker can exploit this vulnerability by placing a malicious tools.py file in the directory where PraisonAI is launched, such as through a shared project or writable workspace. Once the malicious tools.py is imported, it executes arbitrary Python code in the host environment, compromising the entire PraisonAI process, the host system, and any connected data or credentials.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the host environment where PraisonAI is running. This not only affects the PraisonAI process but also compromises the host system and any associated data or credentials.

Reproduction

To reproduce this vulnerability, create a malicious tools.py file containing arbitrary Python code, such as a command to write to a file. Place this file in the current working directory where PraisonAI will be launched. Then, run a PraisonAI component or CLI command that loads local tools. After execution, verify that the output of the malicious command, such as the presence of the created file, indicates successful exploitation.

Remediation

Users can upgrade to PraisonAI version 4.5.139 or later to address this vulnerability. For PraisonAI Agents, version 1.5.140 or later is recommended.