PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr wrapper, achieving arbitrary OS command execution on the host. This issue has been patched in version 1.5.90.
The execute_code() function runs user-submitted Python code inside a three-layer sandbox. The protection mechanism relies on a helper method _safe_getattr, which validates object attributes using the startswith() method. An attacker can pass a subclass of the str type with an overridden startswith() method, causing the security check to return a false positive, allowing attacker-controlled Python code to execute outside the sandbox, leading to arbitrary system command execution on the host.
Attacker gains the ability to execute arbitrary system commands on the host (RCE) with full control over confidentiality, integrity, and availability of the system. The flaw can lead to complete server takeover, data leakage, and further lateral movement in the infrastructure.
Update the praisonai-agents package to version 1.5.90 or later, in which the vulnerability has been removed. The patch is available in the vendor's repository on GitHub.
PraisonAI (praisonai-agents package) in all versions prior to 1.5.90.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HPraison Praisonaiagents
APPPraison< 1.5.90
Related vulnerabilities
PraisonAI – nieuwierzytelnione przejęcie sesji przeglądarki przez WebSocket
PraisonAI — RCE i command injection przez niezaufowane pliki YAML
Command injection w PraisonAIAgents — podatność w obsłudze hooków lifecycle
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, t...
PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a lo...