Yerang30

**Name of the Vulnerable Software and Affected Versions** PraisonAI (affected versions not specified) **Description** A second-order SQL injection issue exists in the `get all user threads` function. The function constructs raw SQL queries using f-strings with unescaped thread IDs obtained from the database. An attacker can inject a malicious thread ID via the `update thread` function. When the application retrieves the thread list, the injected payload is executed, potentially granting full database access. The vulnerable code is located in `src/praisonai/praisonai/ui/sql alchemy.py`. The attack flow involves inserting a malicious payload through `update thread` (line 539), constructing a thread ID string (line 547), and then using this string in a SQL query (line 576). This could lead to the exfiltration of sensitive data, access to conversation histories, and the ability to modify or delete database contents. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PraisonAI versions prior to 4.5.69 **Description** PraisonAI is susceptible to OS Command Injection, potentially leading to Remote Code Execution (RCE). The `--mcp` command-line argument is passed to `shlex.split()` and then to `anyio.open process()` without validation, allowing arbitrary OS command execution as the process user. The vulnerability exists due to the lack of input validation when processing the `--mcp` argument. The vulnerable code path involves the `cli/features/mcp.py` file, which passes the command to `praisonaiagents/mcp/mcp.py` and ultimately to `mcp/client/stdio/ init .py`. The issue is fixed by introducing a command allowlist in commit `47bff65413beaa3c21bf633c1fae4e684348368c`. **Recommendations** Update PraisonAI to version 4.5.69 or later.

**Name of the Vulnerable Software and Affected Versions** PraisonAI versions prior to 4.5.90 **Description** PraisonAI's `passthrough()` and `apassthrough()` functions accept a caller-controlled `api base` parameter. This parameter is concatenated with the `endpoint` and passed directly to `httpx.Client.request()` when an `AttributeError` occurs in the litellm primary path. The system lacks URL scheme validation, private IP filtering, or a domain allowlist, enabling requests to any reachable host. The functions `passthrough()` and `apassthrough()` are vulnerable. The vulnerable code is located in `passthrough.py` lines 92, 109, and 110. An attacker can potentially retrieve IAM credentials on cloud infrastructure with IMDSv1 enabled, and access internal services without authentication within a VPC. **Recommendations** Update PraisonAI to version 4.5.90 or later.

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 1.5.90 Description PraisonAI's `run python()` function constructs a shell command string by interpolating user-controlled code into `python3 -c "<code>"` and passing it to `subprocess.run(..., shell=True)`. The escaping logic only handles `` and `"`, leaving `$()` and backtick substitutions unescaped, which allows arbitrary OS command execution before Python is invoked. The function `run python()` is vulnerable due to incomplete escaping of user-controlled input. The vulnerable code is located in `execute command.py` lines 290, 297, and 310. The `execute command` function calls `subprocess.run()` with `shell=True`, which expands `$()` before Python is executed. The API endpoint is not explicitly mentioned, but the function `run python()` is exposed to prompt injection. Recommendations Update PraisonAI to version 1.5.90 or later.

Name of the Vulnerable Software and Affected Versions PraisonAI (affected versions not specified) Description PraisonAI is susceptible to a critical Python sandbox escape issue that permits code execution outside of the intended sandbox environment. The flaw resides within the `execute code()` function in `praisonai-agents`, which allows for arbitrary OS command execution on the host system. This is achieved by supplying a `str` subclass with an overridden `startswith()` method to the ` safe getattr` wrapper, effectively bypassing the sandbox's security measures. The vulnerability is triggered through the ` safe getattr` function, which incorrectly handles subclasses of strings, and ultimately leads to the execution of arbitrary code via the `Popen` function. The vulnerability can be exploited in deployments using `bot.py`, `autonomy mode.py`, or `bots cli.py` when `PRAISONAI AUTO APPROVE` is set to true, enabling silent execution upon indirect prompt injection. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.90 Description PraisonAI's `MCPToolIndex.search tools()` function compiles a caller-supplied string directly as a Python regular expression without validation, sanitization, or a timeout. A crafted regular expression can cause catastrophic backtracking in the `re` engine, blocking the Python thread for hundreds of seconds and leading to a complete service outage. The function `search tools()` takes a query directly from the caller without validation and compiles it using `re.compile()`. This compiled pattern is then used to search tool names and hints. The issue is located in `tool index.py` lines 365 to 368. Recommendations Update PraisonAI to version 4.5.90 or later.

**Name of the Vulnerable Software and Affected Versions** PraisonAI versions prior to 4.5.87 **Description** The PraisonAI Gateway server lacks authentication for WebSocket connections at the `/ws` endpoint and exposes agent topology at the `/info` endpoint without authentication. This allows any network client to connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. The `/info` endpoint leaks all agent IDs without authentication. The WebSocket endpoint accepts connections unconditionally, without a token check. The `GatewayConfig` has an `auth token` field that is not enforced in the handler. An attacker with network access can enumerate agents via the `/info` API endpoint and send arbitrary messages to agents, potentially leading to tool execution, file reads, and API calls. **Recommendations** Implement strong authentication for all WebSocket connections. Specifically, check for a token in the query parameters or the 'Authorization' header of the WebSocket connection and compare it to the `auth token` configured in `GatewayConfig`. If the tokens do not match, close the connection with a 4001 error code and a 'Unauthorized' reason.

Name of the Vulnerable Software and Affected Versions PraisonAI (affected versions not specified) Description A flaw exists in the token validation process, where the `OAuthManager.validate token()` function incorrectly returns `True` for any token not found in its internal store. This store is empty by default, allowing any HTTP request with an arbitrary Bearer token to be treated as authenticated, granting full access to all registered tools and agent capabilities. The vulnerable code is located in `oauth.py` at lines 364, 374, and 381. An attacker with network access to the MCP HTTP server can call all registered tools, including agent execution, workflow runs, container file read/write, and skill loading. The server binds to `0.0.0.0` by default, requiring no API key. Recommendations Modify the `validate token()` function to explicitly reject unknown tokens by returning `False` if the token is not found in the internal store.

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 1.5.95 Description PraisonAI's `FileTools.download file()` function does not validate the `url` parameter before passing it to `httpx.stream()` with `follow redirects=True`. This allows an attacker controlling the URL to access any host accessible from the server, including cloud metadata services and internal network services. The vulnerability can be exploited through open-redirect chaining, bypassing partial URL filters. On cloud infrastructure with IMDSv1 enabled, an attacker can potentially retrieve IAM credentials and write them to disk. The vulnerable code is located in `file tools.py` lines 259 and 296. The `url` parameter is taken directly from the caller without validation and then passed to `httpx.stream()` without proper sanitization. Recommendations Update PraisonAI to version 1.5.95 or later.

**Name of the Vulnerable Software and Affected Versions** PraisonAI versions prior to 4.5.97 **Description** PraisonAI's `SubprocessSandbox` in all modes (BASIC, STRICT, NETWORK ISOLATED) utilizes `subprocess.run()` with `shell=True` and relies on string-pattern matching for command blocking. The blocklist does not include `sh` or `bash` executables, enabling sandbox escape in STRICT mode via `sh -c '<command>'`. This allows attackers to bypass OS-level isolation and potentially access the network, filesystem, and cloud metadata services, especially when combined with agent prompt injection. The vulnerable code is located in `sandbox executor.py`, specifically lines 179 and 326. The issue stems from the lack of blocking `sh` and `bash` in the `blocked commands` list and the use of `shell=True` which spawns `/bin/sh`. **Recommendations** Update to version 4.5.97 or later to address the vulnerability. As a temporary workaround, avoid using the `--sandbox strict` option. Consider using `shlex.split()` with `shell=False` in the `subprocess.run()` call to prevent shell injection.