PraisonAI SQL and CQL Injection Vulnerability in Knowledge-Store Backends

A vulnerability exists in PraisonAI versions 2.4.1 prior to 4.6.34, allowing SQL and CQL injection through unvalidated collection names in optional knowledge-store backends. The issue arises because these backends directly interpolate collection names into query texts without proper validation or sanitization. Affected backends include 'pgvector', 'cassandra', and 'singlestore_vector'. The vulnerability can be exploited by passing untrusted collection names into the knowledge-store APIs, leading to execution of arbitrary SQL or CQL commands, manipulation of database tables, or causing backend errors.

Impact

Exploitation of this vulnerability could result in SQL or CQL injection, allowing for execution of attacker-controlled commands in the database context. This could lead to unauthorized data access, data manipulation, or in the case of SQL injection, potentially executing administrative commands such as dropping tables.

Reproduction

The vulnerability can be reproduced by using the 'SingleStoreVectorKnowledgeStore' or 'PGVectorKnowledgeStore' classes from the PraisonAI persistence layer. After creating an instance of the knowledge store, untrusted collection names can be passed to methods like 'delete_collection()' or 'create_collection()'. The interpolated SQL commands can be observed, showing that the injected collection names were executed as part of the SQL query.

Remediation

Users should update to PraisonAI version 4.6.34 or later, where this vulnerability has been patched.