PraisonAI Browser Bridge Unauthenticated Remote Session Hijacking Vulnerability
Vulnerability
A vulnerability allowing unauthenticated remote session hijacking has been identified in PraisonAI versions prior to 4.5.139 and in praisonaiagents versions prior to 1.5.140. The issue arises in the browser bridge component, specifically at the '/ws' WebSocket endpoint, which lacks proper authentication and has a bypassable origin check. By default, the server listens on all network interfaces and only validates the Origin header when it is present. This oversight allows non-browser clients to connect without restrictions by omitting the header. Once connected, an attacker can send a 'start_session' message, which the server routes to the first available idle browser-extension WebSocket, effectively hijacking that session. The attacker then receives all automation actions and outputs from the extension, enabling unauthorized control over browser automation sessions, access to sensitive page context and automation results, and misuse of model-backed browser actions in any environment where the bridge is accessible over the network.
Impact
Exploitation of this vulnerability allows for unauthorized remote control of browser automation sessions, hijacking of connected extension sessions, and interception of automation outputs, including sensitive page context. This could lead to misuse of model-backed browser actions in any environment where the bridge is network-reachable.
Reproduction
The vulnerability can be reproduced by starting the PraisonAI browser bridge, connecting a WebSocket as a fake browser extension with a valid origin, and then connecting a second WebSocket without an Origin header. After establishing these connections, the unauthenticated WebSocket can send a 'start_session' message, which the server will forward to the extension WebSocket. Once the extension responds, the action is broadcast back to the attacker, demonstrating successful session hijacking.
Remediation
Users are advised to update to PraisonAI version 4.5.139 or later and to praisonaiagents version 1.5.140 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.