GHSA-GCQ3-MFVH-3X25
Vulnerability from github – Published: 2026-06-18 13:59 – Updated: 2026-06-18 13:59PraisonAI Code agent tools fail open without a workspace boundary
Summary
PraisonAI Code's agent-compatible CODE_TOOLS wrappers keep a global workspace root initialized to None. If an application uses CODE_TOOLS, code_read_file, code_search_replace, or code_apply_diff before calling set_workspace(), the wrappers pass workspace=None into lower-level helpers that only enforce path containment when a workspace is truthy. Absolute paths outside the intended project workspace are then read and modified.
The official examples correctly call set_workspace() before CODE_TOOLS, and this report does not claim configured workspaces are ineffective. The issue is the fail-open default. PraisonAI's security documentation describes workspace boundaries as the path-traversal protection mechanism, and the already-published Python API arbitrary file write advisory (GHSA-hvhp-v2gc-268q) was fixed by defaulting an unset workspace to os.getcwd(). The adjacent read and edit paths reached through CODE_TOOLS still fail open.
Affected Components
- Package:
praisonai - Current upstream main tested:
2f9677abb2ea68eab864ee8b6a828fd0141612e1 - Latest tested release:
v4.6.57 - Primary files:
src/praisonai/praisonai/code/agent_tools.pysrc/praisonai/praisonai/code/tools/read_file.pysrc/praisonai/praisonai/code/tools/search_replace.pysrc/praisonai/praisonai/code/tools/apply_diff.py
Root Cause
agent_tools.py initializes _workspace_root to None and passes it directly to lower-level helpers:
_workspace_root: Optional[str] = None
...
result = _read_file(..., workspace=_workspace_root)
...
result = _search_replace(..., workspace=_workspace_root)
The lower-level helpers only enforce containment if workspace is set:
if workspace:
if not is_path_within_directory(abs_path, workspace):
return {"success": False, ...}
The already-hardened write_file() path uses effective_workspace = workspace or os.getcwd(). Current tests assert that write_file(workspace=None) must stay inside the current working directory. The same fail-closed default is missing from read_file, search_replace, apply_diff, and the agent wrappers that call them.
Local-Only Reproduction
Run:
PYTHONPATH=/path/to/PraisonAI/src/praisonai:/path/to/PraisonAI/src/praisonai-agents \
python poc_code_tools_workspace_bypass.py
Expected vulnerable result:
[poc] HIT: CODE_TOOLS wrappers read and edit outside workspace when workspace is unset
The PoV creates a temporary workspace and a temporary file outside that workspace. With get_workspace() == None, code_read_file() reads the outside file, code_search_replace() modifies it, and code_apply_diff() modifies it again. After set_workspace(workspace), the same outside path is rejected by all three wrappers.
No external services, model providers, or network access are used.
Impact
If an application exposes PraisonAI Code's agent-compatible CODE_TOOLS to an LLM before setting a workspace boundary, prompt-influenced tool calls can read and modify files outside the intended project workspace. The practical attack shape matches the existing PraisonAI prompt-content advisory pattern: untrusted content influences an agent that has been given file-editing tools.
Practical impacts include:
- reading host secrets or local configuration files accessible to the process user;
- modifying arbitrary existing files when the attacker can supply or infer matching content for
code_search_replaceorcode_apply_diff; - using
code_read_fileto first learn file content and thencode_apply_diffto produce an exact modification; - bypassing the advertised workspace-boundary security posture unless the embedding application remembered to call
set_workspace()first.
This issue does not claim set_workspace() is ineffective. The control works when configured. The vulnerability is the fail-open default for the advertised agent-tool bundle and adjacent read/edit helpers.
Affected-Version Sweep
The same behavior was reproduced on:
- current upstream main:
2f9677abb2ea68eab864ee8b6a828fd0141612e1 v4.6.57v4.6.56v4.6.10v4.6.9v4.5.128v4.5.126v3.9.26v3.9.24
Suggested Fix
Recommended fix:
- Make every low-level file helper compute
effective_workspace = workspace or os.getcwd()before resolving paths. - Make
code_read_file,code_list_files,code_apply_diff,code_search_replace, andcode_execute_commanduseos.getcwd()as the default workspace when_workspace_root is None. - Keep allowing absolute paths only when they resolve inside the effective workspace.
- Add regression tests proving outside absolute paths are rejected before and after
set_workspace(). - Consider failing closed if
CODE_TOOLSis used before a workspace is configured, or log a warning when the default current working directory is used.
Disclosure Route
PraisonAI's official security documentation lists GitHub Security Advisories as the preferred reporting method and asks reports to include reproduction steps, affected versions, impact, and suggested fixes. The repository security policy page currently shows no configured SECURITY.md, but private vulnerability reporting is available.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.6.57"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.59"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-22",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T13:59:26Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# PraisonAI Code agent tools fail open without a workspace boundary\n\n## Summary\n\nPraisonAI Code\u0027s agent-compatible `CODE_TOOLS` wrappers keep a global workspace root initialized to `None`. If an application uses `CODE_TOOLS`, `code_read_file`, `code_search_replace`, or `code_apply_diff` before calling `set_workspace()`, the wrappers pass `workspace=None` into lower-level helpers that only enforce path containment when a workspace is truthy. Absolute paths outside the intended project workspace are then read and modified.\n\nThe official examples correctly call `set_workspace()` before `CODE_TOOLS`, and this report does not claim configured workspaces are ineffective. The issue is the fail-open default. PraisonAI\u0027s security documentation describes workspace boundaries as the path-traversal protection mechanism, and the already-published Python API arbitrary file write advisory (`GHSA-hvhp-v2gc-268q`) was fixed by defaulting an unset workspace to `os.getcwd()`. The adjacent read and edit paths reached through `CODE_TOOLS` still fail open.\n\n## Affected Components\n\n- Package: `praisonai`\n- Current upstream main tested: `2f9677abb2ea68eab864ee8b6a828fd0141612e1`\n- Latest tested release: `v4.6.57`\n- Primary files:\n - `src/praisonai/praisonai/code/agent_tools.py`\n - `src/praisonai/praisonai/code/tools/read_file.py`\n - `src/praisonai/praisonai/code/tools/search_replace.py`\n - `src/praisonai/praisonai/code/tools/apply_diff.py`\n\n## Root Cause\n\n`agent_tools.py` initializes `_workspace_root` to `None` and passes it directly to lower-level helpers:\n\n```python\n_workspace_root: Optional[str] = None\n...\nresult = _read_file(..., workspace=_workspace_root)\n...\nresult = _search_replace(..., workspace=_workspace_root)\n```\n\nThe lower-level helpers only enforce containment if `workspace` is set:\n\n```python\nif workspace:\n if not is_path_within_directory(abs_path, workspace):\n return {\"success\": False, ...}\n```\n\nThe already-hardened `write_file()` path uses `effective_workspace = workspace or os.getcwd()`. Current tests assert that `write_file(workspace=None)` must stay inside the current working directory. The same fail-closed default is missing from `read_file`, `search_replace`, `apply_diff`, and the agent wrappers that call them.\n\n## Local-Only Reproduction\n\nRun:\n\n```bash\nPYTHONPATH=/path/to/PraisonAI/src/praisonai:/path/to/PraisonAI/src/praisonai-agents \\\n python poc_code_tools_workspace_bypass.py\n```\n\nExpected vulnerable result:\n\n```text\n[poc] HIT: CODE_TOOLS wrappers read and edit outside workspace when workspace is unset\n```\n\nThe PoV creates a temporary workspace and a temporary file outside that workspace. With `get_workspace() == None`, `code_read_file()` reads the outside file, `code_search_replace()` modifies it, and `code_apply_diff()` modifies it again. After `set_workspace(workspace)`, the same outside path is rejected by all three wrappers.\n\nNo external services, model providers, or network access are used.\n\n## Impact\n\nIf an application exposes PraisonAI Code\u0027s agent-compatible `CODE_TOOLS` to an LLM before setting a workspace boundary, prompt-influenced tool calls can read and modify files outside the intended project workspace. The practical attack shape matches the existing PraisonAI prompt-content advisory pattern: untrusted content influences an agent that has been given file-editing tools.\n\nPractical impacts include:\n\n- reading host secrets or local configuration files accessible to the process user;\n- modifying arbitrary existing files when the attacker can supply or infer matching content for `code_search_replace` or `code_apply_diff`;\n- using `code_read_file` to first learn file content and then `code_apply_diff` to produce an exact modification;\n- bypassing the advertised workspace-boundary security posture unless the embedding application remembered to call `set_workspace()` first.\n\nThis issue does not claim `set_workspace()` is ineffective. The control works when configured. The vulnerability is the fail-open default for the advertised agent-tool bundle and adjacent read/edit helpers.\n\n## Affected-Version Sweep\n\nThe same behavior was reproduced on:\n\n- current upstream main: `2f9677abb2ea68eab864ee8b6a828fd0141612e1`\n- `v4.6.57`\n- `v4.6.56`\n- `v4.6.10`\n- `v4.6.9`\n- `v4.5.128`\n- `v4.5.126`\n- `v3.9.26`\n- `v3.9.24`\n\n## Suggested Fix\n\nRecommended fix:\n\n1. Make every low-level file helper compute `effective_workspace = workspace or os.getcwd()` before resolving paths.\n2. Make `code_read_file`, `code_list_files`, `code_apply_diff`, `code_search_replace`, and `code_execute_command` use `os.getcwd()` as the default workspace when `_workspace_root is None`.\n3. Keep allowing absolute paths only when they resolve inside the effective workspace.\n4. Add regression tests proving outside absolute paths are rejected before and after `set_workspace()`.\n5. Consider failing closed if `CODE_TOOLS` is used before a workspace is configured, or log a warning when the default current working directory is used.\n\n## Disclosure Route\n\nPraisonAI\u0027s official security documentation lists GitHub Security Advisories as the preferred reporting method and asks reports to include reproduction steps, affected versions, impact, and suggested fixes. The repository security policy page currently shows no configured `SECURITY.md`, but private vulnerability reporting is available.",
"id": "GHSA-gcq3-mfvh-3x25",
"modified": "2026-06-18T13:59:26Z",
"published": "2026-06-18T13:59:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gcq3-mfvh-3x25"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI Code agent tools fail open without a workspace boundary"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.