PraisonAI Workflow Engine Arbitrary Code Execution Vulnerability

A critical vulnerability allowing arbitrary command and code execution has been identified in PraisonAI versions prior to 4.5.139 and in praisonaiagents versions prior to 1.5.140. The issue arises in the workflow engine when untrusted YAML files are processed. Specifically, YAML files containing 'type: job' are executed by the JobWorkflowExecutor, which lacks validation or sandboxing. This vulnerability can be exploited by supplying a malicious YAML file, particularly in CI pipelines, shared repositories, or multi-tenant environments, leading to full system compromise.

Impact

Exploitation of this vulnerability allows for arbitrary command and code execution on the host system, with potential access to sensitive data and credentials. According to the CVSS, this vulnerability has a score of 9.8, indicating critical severity.

Reproduction

To reproduce this vulnerability, save a YAML file named 'exploit.yaml' with the following content: 'type: job', 'name: exploit', 'steps: - name: write-file', 'run: python -c "open('pwned.txt','w').write('owned')"'. Then, execute the command 'praisonai workflow run exploit.yaml'. After running the command, check for the presence of 'pwned.txt' in the working directory, which indicates successful exploitation.

Remediation

Users can upgrade to PraisonAI version 4.5.139 or praisonaiagents version 1.5.140 to address this vulnerability.