PT-2026-53117 · Pypi · Praisonai
Published
2026-06-18
·
Updated
2026-06-18
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Summary
The
multiedit tool in src/praisonai/praisonai/tools/multiedit.py allows LLM-controlled arbitrary file read and write without any path validation, workspace boundary check, or protected path guard. This enables an attacker who can influence agent tool arguments (via crafted prompts, user input in chat bots, or malicious YAML workflow configs) to read sensitive files (e.g., /etc/shadow, ~/.ssh/id rsa, ~/.aws/credentials) and overwrite arbitrary files on the filesystem.Details
The
filepath parameter is used directly with open() for both reading (line 74) and writing (line 130) without any of the following protections that exist in other tools in the same codebase:- No
..path traversal check — unlikefile tools.py(line 66:if '..' in filepath: raise ValueError) andedit tools.py(line 35). - No workspace boundary validation — unlike
file tools.py(validate pathwithos.path.commonpathcheck) andskill tools.py(read skill filewith workspace boundary check). - No protected path guard — unlike
praisonai/code/tools/which usesis path within directoryand protected path checks. - No symlink resolution — unlike
file tools.pywhich usesos.path.realpath.
The function is exported via
src/praisonai/praisonai/tools/ init .py as a lazy-loaded tool and is available to agents through the PraisonAI CLI tools registry.Contrast with protected tools: The sibling tools
write file.py, read file.py, apply diff.py, and search replace.py in src/praisonai/praisonai/code/tools/ all implement is path within directory() checks and protected path guards. The multiedit tool has none of these protections.PoC
Setup: Clean checkout of PraisonAI at commit
d5f1114a. No additional dependencies needed beyond Python 3.10+.Positive trigger — arbitrary file read via dry run:
bash
cd /tmp && python3 -c "
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.tools.multiedit import multiedit
# Read any file content via diff output (dry run=True prevents write)
result = multiedit('/etc/hostname', [{'old': 'DOESNOTEXIST', 'new': 'x'}], dry run=True)
# The diff output reveals the file contents
print('Success:', result['success'])
print('Content leaked via diff:', len(result.get('diff', '')), 'bytes')
"Positive trigger — arbitrary file write:
bash
cd /tmp && python3 -c "
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.tools.multiedit import multiedit
# Write to an arbitrary file outside workspace
with open('/tmp/victim file.txt', 'w') as f:
f.write('original content here
')
result = multiedit('/tmp/victim file.txt', [{'old': 'original', 'new': 'PWNED'}])
with open('/tmp/victim file.txt', 'r') as f:
print('File content after edit:', repr(f.read()))
"Observed output:
# Read:
Success: False
Content leaked via diff: 0 bytes (file content still accessible via dry run diff when edits match)
# Write:
File content after edit: 'PWNED content here
'Negative control — non-existent file:
bash
result = multiedit('/nonexistent/file.txt', [{'old': 'a', 'new': 'b'}])
# Returns: {'success': False, 'error': 'File not found: /nonexistent/file.txt'}Cleanup:
rm /tmp/victim file.txtImpact
An attacker who can influence the
filepath parameter of the multiedit tool (via crafted prompts to an AI agent, user messages in Telegram/Discord/Slack bots using auto approve tools=True, or YAML workflow configurations) can:- Read arbitrary files — any file readable by the process user, including secrets, SSH keys, cloud credentials, environment files (
.env), and configuration files. - Write/overwrite arbitrary files — modify any file writable by the process user, enabling privilege escalation (e.g., writing to
~/.bashrc,~/.ssh/authorized keys, or overwriting application source code).
This affects all deployments where agents have the
multiedit tool available, including the PraisonAI CLI and chat bot deployments where auto approve tools defaults to True.Suggested remediation
Apply the same path validation pattern used by
file tools.py and the code tools in src/praisonai/praisonai/code/tools/:- Add a
validate pathfunction that:
- Rejects paths containing
.. - Resolves symlinks via
os.path.realpath - Validates the resolved path is within the workspace/CWD using
os.path.commonpath
- Add protected path guards (
.env,.git,.ssh, keys, credentials) - Apply
validate pathto thefilepathparameter before anyopen()call - Consider adding
@require approval(risk level="high")to themultieditfunction
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Praisonai