PraisonAI GitHub Actions ArtiPACKED Vulnerability Allowing Credential Leakage and Repository Takeover

A vulnerability exists in PraisonAI, a multi-agent teams system, in GitHub Actions workflows prior to version 4.5.140. The issue arises from the default behavior of actions/checkout, which persists credentials by writing the GITHUB_TOKEN and sometimes ACTIONS_RUNTIME_TOKEN into the .git/config file. This credential leakage can be exploited by uploading artifacts that inadvertently include these tokens. In the case of PraisonAI, a public repository, leaked tokens can be accessed by any user with read permissions, potentially leading to a supply chain compromise. The vulnerability has been identified in multiple workflow and action files across the repository.

Impact

Exploitation of this vulnerability allows for unauthorized access to the repository using the leaked GITHUB_TOKEN or ACTIONS_RUNTIME_TOKEN. This could result in pushing malicious code, poisoning releases and packages, stealing repository secrets, and compromising the entire PraisonAI project, affecting all downstream users.

Reproduction

The vulnerability can be reproduced by using the actions/checkout@v4 GitHub action without setting persist-credentials to false. This can be done in any workflow file under .github/workflows/ or .github/actions/. Once the workflow is executed, the GITHUB_TOKEN will be written into the .git/config file. If an artifact is uploaded in a subsequent step, the token can be included in the artifact, which is then accessible to anyone with read access to the repository.

Remediation

To address this vulnerability, update all actions/checkout steps to include persist-credentials: false. This prevents the GITHUB_TOKEN from being written into the .git/config file and leaking into uploaded artifacts.