PraisonAI MCP Server Path Traversal Vulnerability Leading to Remote Code Execution

A critical vulnerability in PraisonAI's MCP (Model Context Protocol) server, prior to version 4.6.34, allows for arbitrary file writing and subsequent remote code execution. The server registers several file-handling tools that accept path or filename strings without proper validation, enabling attackers to traverse out of the intended directory and write files. By injecting a malicious Python .pth file into the user's site-packages directory, this vulnerability escalates to arbitrary code execution in any future Python process the user initiates. The issue can also be exploited through indirect prompt injection in connected LLMs, without any user intervention beyond normal usage.

Impact

Exploitation of this vulnerability leads to arbitrary code execution on the user's machine, with the user's privileges, in any subsequent Python process they start. The .pth payload mechanism ensures that the execution occurs reliably, independent of when the file was written. Additionally, the vulnerability allows for arbitrary file reading and writing, including deletion, creating a potential for destructive ransomware-style attacks. Exfiltration of MCP credentials and LLM provider credentials is also possible, further expanding the impact.

Reproduction

The vulnerability can be reproduced by initializing a PraisonAI MCP server and using the 'tools/call' feature to invoke the vulnerable file-handling tools. This can be done manually or through an LLM under indirect prompt injection, which will automatically execute the malicious 'tools/call' without any additional user interaction.

Remediation

Users can update to PraisonAI version 4.6.34 or later, where this vulnerability has been patched.