PraisonAI and PraisonAIAgents Unsafe Tool Resolution Vulnerability Allowing Execution of Undeclared Callables

A vulnerability exists in PraisonAI versions prior to 4.6.37 and in PraisonAIAgents versions prior to 1.6.37. The issue arises because PraisonAIAgents resolves tool names against module globals and '__main__' after failing to match declared tools or registry entries. With the default agent setting of '_perm_allow' set to None, undeclared non-dangerous tool names bypass the permission gate. This allows an attacker to invoke unintended application callables that were not declared as tools, potentially leading to unauthorized actions or data exposure.

Impact

Exploitation of this vulnerability allows for the execution of undeclared application callables from '__main__', bypassing the intended permission controls. This could lead to unauthorized actions within the application, especially if privileged functions are invoked.

Reproduction

The vulnerability can be reproduced by creating a callable function in the '__main__' scope, then using a PraisonAIAgent with an empty tools list to call the function via the 'execute_tool()' method. The agent's default permission settings will allow the call to be executed, demonstrating the bypass of the tool declaration requirement.

Remediation

Users should update to PraisonAI version 4.6.37 and PraisonAIAgents version 1.6.37.