PraisonAI Command Injection Vulnerability in MCP Command Handling
Vulnerability
A command injection vulnerability has been identified in PraisonAI versions prior to 4.6.9. The issue arises in the MCP command handling, where the 'parse_mcp_command()' function lacks proper validation. This oversight allows arbitrary executables, such as bash or python, to be executed with inline code execution flags. The vulnerability exists because the function does not validate command arguments or enforce a command allowlist, enabling potentially harmful commands to be executed via subprocesses.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the host system, leading to full remote code execution.
Reproduction
The vulnerability can be reproduced by using a version of PraisonAI prior to 4.6.9 and sending MCP commands that include disallowed executables or dangerous inline execution flags. The 'parse_mcp_command()' function will accept these commands without validation and execute them as subprocesses.
Remediation
Users are advised to update to PraisonAI version 4.6.9 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.