GHSA-VMMJ-PFW7-FJWP

Vulnerability from github – Published: 2026-06-18 14:26 – Updated: 2026-06-18 14:26
VLAI
Summary
npm PraisonAI codeMode sandbox escape via Function constructor
Details

Summary

The published npm package praisonai exports a TypeScript built-in tool named codeMode. The package describes this tool as executing code in a sandboxed environment, marks its capability as sandbox: true, and registers it through the public tools facade.

The implementation does not create an isolation boundary. It applies a small regular-expression blocklist, sets process and require to undefined inside a plain JavaScript object, and then executes attacker-controlled code with the host process new Function constructor:

const fn = new Function('sandbox', `with (sandbox) { ${code} }`);
const result = fn(sandbox);

Because this runs in the host V8 context, code inside codeMode can use the JavaScript prototype chain to recover the real Function constructor:

({}).constructor.constructor('return process')()

From a normal CommonJS application script, the recovered process object exposes process.mainModule.require. That bypasses the explicit require('fs') and require('child_process') controls and allows host filesystem access and subprocess execution from code that was supposed to be sandboxed.

Technical Details

Current-head source says codeMode is a built-in package tool and explicitly advertises a sandbox boundary:

src/praisonai-ts/src/tools/builtins/code-mode.ts
  13: description: 'Execute code that can import and use other tools in a sandboxed environment',
  24: capabilities: {
  25:   sandbox: true,
  26:   code: true,
  28: packageName: 'praisonai',
  85: description: 'Execute code in a sandboxed environment with access to imported tools. Write files, run code, and get results.',

The same file implements security as a blocklist of exact source-code patterns:

src/praisonai-ts/src/tools/builtins/code-mode.ts
  108: const blockedPatterns = [
  109:   /require\s*\(\s*['"]child_process['"]\s*\)/,
  110:   /require\s*\(\s*['"]fs['"]\s*\)/,
  111:   /import\s+.*from\s+['"]child_process['"]/,
  112:   /process\.exit/,
  113:   /eval\s*\(/,

It then tries to hide dangerous globals by shadowing names in a normal object:

src/praisonai-ts/src/tools/builtins/code-mode.ts
  168: process: undefined,
  169: require: undefined,

Finally, it executes the untrusted code in the host process using new Function and with (sandbox):

src/praisonai-ts/src/tools/builtins/code-mode.ts
  187: const fn = new Function(
  188:   'sandbox',
  189:   `with (sandbox) { ${code} }`
  190: );
  191: const result = fn(sandbox);

This is not a sandbox. new Function does not create a separate security context, and variable shadowing does not remove access to constructors reachable through normal JavaScript objects.

The tool is reachable through the public npm SDK:

src/praisonai-ts/src/index.ts
  117: airweaveSearch, codeMode,

src/praisonai-ts/src/tools/tools.ts
  104: // Code Mode
  105: registry.register(CODE_MODE_METADATA, createCodeModeTool as ToolFactory);
  167: // Code Mode
  168: codeMode: (config?: CodeModeConfig) => codeMode(config),

Why This Is Not Intended Behavior

This is not merely "the user can execute code because codeMode executes code." The vulnerability is that code which is explicitly described and exposed as sandboxed can escape the intended restrictions.

The implementation itself proves an intended security boundary exists:

  • CODE_MODE_METADATA.capabilities.sandbox is true;
  • the tool description says it executes in a sandboxed environment;
  • direct access to fs and child_process is explicitly blocked;
  • process and require are explicitly shadowed as undefined;
  • allowNetwork defaults to false; and
  • the config includes security-relevant controls such as blockedTools, allowedPaths, timeoutMs, and maxMemoryMb.

The PoV shows those intended restrictions work for naive payloads but fail for a standard JavaScript prototype-chain escape.

PraisonAI's official JavaScript and TypeScript docs describe the npm package as a production-ready agent framework installed with npm install praisonai. Public PraisonAI advisories rate comparable Python sandbox escapes as Critical when user/LLM-supplied code crosses from a claimed sandbox into host execution.

PoV

The PoV installs a published npm package version into a temporary project and runs from a real CommonJS script file. Running from a file is important because normal Node applications expose process.mainModule.require; node -e or stdin do not always reproduce that deployment shape.

Run from a local reproduction checkout:

node poc/pov_poc.js 1.7.1

Observed result:

{
  "package": "praisonai",
  "version": "1.7.1",
  "codeModeExported": true,
  "directRequireFsControl": {
    "stderr": "Blocked pattern detected: require\\s*\\(\\s*['\"]fs['\"]\\s*\\)",
    "exitCode": 1,
    "success": false,
    "error": "Code contains blocked patterns for security"
  },
  "directChildProcessControl": {
    "stderr": "Blocked pattern detected: require\\s*\\(\\s*['\"]child_process['\"]\\s*\\)",
    "exitCode": 1,
    "success": false,
    "error": "Code contains blocked patterns for security"
  },
  "escapedProcessEnv": {
    "output": "poc",
    "exitCode": 0,
    "success": true
  },
  "escapedFilesystem": {
    "output": "fs-ok",
    "exitCode": 0,
    "success": true
  },
  "escapedCommand": {
    "output": "poc",
    "exitCode": 0,
    "success": true
  }
}

Interpretation:

  • direct require('fs') is blocked;
  • direct require('child_process') is blocked;
  • the Function-constructor payload recovers host process;
  • the escaped process reads a host environment variable;
  • the escaped process imports fs; and
  • the escaped process imports child_process and runs a harmless printf.

The PoV does not contact any LLM provider or external service after npm package installation. It does not modify host files or execute a destructive command.

PoC

The PoV section above contains the local reproduction command, input, and decisive output.

Impact

An attacker who can supply code to codeMode can escape the advertised sandbox and execute with the privileges of the Node.js PraisonAI process.

Realistic entry points include:

  • an application that exposes codeMode as an agent tool to end users;
  • an LLM/tool-call flow where prompt-controlled content reaches the code parameter;
  • MCP or tool-registry integrations that make the built-in codeMode tool callable; or
  • any multi-tenant service that relies on codeMode to safely run user or model-generated JavaScript.

Impact after escape includes:

  • reading process environment variables, including API keys and service tokens;
  • reading files available to the Node process;
  • spawning subprocesses with child_process;
  • writing or modifying files through host filesystem APIs; and
  • terminating or resource-exhausting the host process.

Severity

Suggested severity: Critical.

Rationale:

  • AV: codeMode is a designated agent/tool surface and can be reached over the network in standard agent applications that expose tool calls to users or LLM-controlled workflows.
  • AC: a single code payload is enough.
  • PR: the attacker needs the ability to submit code or prompt-controlled content to an agent/tool flow.
  • UI: no additional user interaction is required once the tool is invoked.
  • S: execution crosses from the advertised sandbox security scope into the host Node.js process.
  • C: host files and environment variables are readable.
  • I: host subprocess and filesystem APIs are reachable.
  • A: escaped code can terminate processes or consume host resources.

Suggested Fix

Do not use host-process new Function plus source-code blocklists as a sandbox.

Recommended fix direction:

  1. Disable or clearly mark npm codeMode as unsafe until a real isolation boundary exists.
  2. Execute untrusted code in a separate OS process, container, worker isolate, or similar boundary with a restricted user, minimal environment, temporary working directory, no inherited secrets, and explicit IPC for allowed tool calls.
  3. Enforce allowNetwork, allowedPaths, timeoutMs, maxMemoryMb, allowedTools, and blockedTools at that boundary instead of by scanning source strings.
  4. Do not rely on node:vm alone for untrusted code. The Node.js documentation explicitly says the vm module is not a security mechanism.
  5. Add regression tests for:
  6. direct require('fs') and require('child_process') blocked controls;
  7. ({}).constructor.constructor('return process')() blocked;
  8. process.mainModule.require('fs') unavailable;
  9. process.mainModule.require('child_process') unavailable;
  10. host environment variables unavailable unless explicitly passed; and
  11. tool-call IPC still works for allowed tools.

If maintainers need an emergency mitigation before a real sandbox exists, reject codeMode execution unless the caller opts into "unsafe host JS execution" with clear documentation that it can access the full Node process.

Affected Package/Versions

  • Repository: MervinPraison/PraisonAI
  • Ecosystem: npm
  • Package: praisonai
  • Component: src/praisonai-ts/src/tools/builtins/code-mode.ts
  • Current npm version checked: 1.7.1
  • Refreshed origin/main checked: 1ad58ca02975ff1398efeda694ea2ab78f20cf3e

Confirmed affected range:

>= 1.4.0, <= 1.7.1

Boundary:

1.3.6 does not export codeMode and does not ship dist/tools/builtins/code-mode.js.

No fixed npm version is known at the time of this report.

Version Sweep

The included sweep installs selected npm versions and runs the same vulnerable shape from a script file:

node poc/version_sweep_poc.js

Observed result:

1.3.6: codeModeExported=false, hasDistCodeMode=false
1.4.0: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true
1.5.4: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true
1.6.0: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true
1.7.0: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true
1.7.1: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true

Git history for the TypeScript file points to the 1.4.0 integration:

56f36e25 feat: bump version to 1.4.0 and add AI SDK integration dependencies
2bad9a50 feat: bump version to 1.4.0 and add AI SDK integration dependencies

Advisory History

Checked:

  • visible PraisonAI advisories and prior reports;
  • public GitHub advisory search results for PraisonAI codeMode, npm, sandbox, new Function, process, and child_process; and
  • visible public PraisonAI advisories for sandbox escapes.

Closest related advisories are Python/PyPI scoped and do not cover this npm TypeScript implementation:

  • GHSA-qf73-2hrx-xprp / CVE-2026-39888: pip:praisonaiagents execute_code() frame traversal in a Python subprocess sandbox.
  • GHSA-4mr5-g6f9-cfrh / CVE-2026-47392: pip:praisonai Python execute_code() sandbox escape through print.__self__.
  • Other published PraisonAI sandbox advisories cover Python execute_code, SubprocessSandbox, Sandlock/native fallback, or CLI/managed-agent bridges.

This report is distinct because it targets:

  • ecosystem: npm;
  • package: praisonai;
  • component: src/praisonai-ts/src/tools/builtins/code-mode.ts;
  • root cause: host-context new Function plus blocklist/name-shadowing sandbox; and
  • affected range: >= 1.4.0, <= 1.7.1.

One private npm report has already been submitted for TypeScript AgentOS missing authentication (GHSA-9752-mhqh-h34f). That is also distinct: it covers unauthenticated HTTP agent listing/invocation, not a codeMode sandbox escape.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.7.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T14:26:32Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThe published npm package `praisonai` exports a TypeScript built-in tool named `codeMode`. The package describes this tool as executing code in a sandboxed environment, marks its capability as `sandbox: true`, and registers it through the public tools facade.\n\nThe implementation does not create an isolation boundary. It applies a small regular-expression blocklist, sets `process` and `require` to `undefined` inside a plain JavaScript object, and then executes attacker-controlled code with the host process `new Function` constructor:\n\n```text\nconst fn = new Function(\u0027sandbox\u0027, `with (sandbox) { ${code} }`);\nconst result = fn(sandbox);\n```\n\nBecause this runs in the host V8 context, code inside `codeMode` can use the JavaScript prototype chain to recover the real `Function` constructor:\n\n```text\n({}).constructor.constructor(\u0027return process\u0027)()\n```\n\nFrom a normal CommonJS application script, the recovered `process` object exposes `process.mainModule.require`. That bypasses the explicit `require(\u0027fs\u0027)` and `require(\u0027child_process\u0027)` controls and allows host filesystem access and subprocess execution from code that was supposed to be sandboxed.\n\n## Technical Details\n\nCurrent-head source says `codeMode` is a built-in package tool and explicitly advertises a sandbox boundary:\n\n```text\nsrc/praisonai-ts/src/tools/builtins/code-mode.ts\n  13: description: \u0027Execute code that can import and use other tools in a sandboxed environment\u0027,\n  24: capabilities: {\n  25:   sandbox: true,\n  26:   code: true,\n  28: packageName: \u0027praisonai\u0027,\n  85: description: \u0027Execute code in a sandboxed environment with access to imported tools. Write files, run code, and get results.\u0027,\n```\n\nThe same file implements security as a blocklist of exact source-code patterns:\n\n```text\nsrc/praisonai-ts/src/tools/builtins/code-mode.ts\n  108: const blockedPatterns = [\n  109:   /require\\s*\\(\\s*[\u0027\"]child_process[\u0027\"]\\s*\\)/,\n  110:   /require\\s*\\(\\s*[\u0027\"]fs[\u0027\"]\\s*\\)/,\n  111:   /import\\s+.*from\\s+[\u0027\"]child_process[\u0027\"]/,\n  112:   /process\\.exit/,\n  113:   /eval\\s*\\(/,\n```\n\nIt then tries to hide dangerous globals by shadowing names in a normal object:\n\n```text\nsrc/praisonai-ts/src/tools/builtins/code-mode.ts\n  168: process: undefined,\n  169: require: undefined,\n```\n\nFinally, it executes the untrusted code in the host process using `new Function` and `with (sandbox)`:\n\n```text\nsrc/praisonai-ts/src/tools/builtins/code-mode.ts\n  187: const fn = new Function(\n  188:   \u0027sandbox\u0027,\n  189:   `with (sandbox) { ${code} }`\n  190: );\n  191: const result = fn(sandbox);\n```\n\nThis is not a sandbox. `new Function` does not create a separate security context, and variable shadowing does not remove access to constructors reachable through normal JavaScript objects.\n\nThe tool is reachable through the public npm SDK:\n\n```text\nsrc/praisonai-ts/src/index.ts\n  117: airweaveSearch, codeMode,\n\nsrc/praisonai-ts/src/tools/tools.ts\n  104: // Code Mode\n  105: registry.register(CODE_MODE_METADATA, createCodeModeTool as ToolFactory);\n  167: // Code Mode\n  168: codeMode: (config?: CodeModeConfig) =\u003e codeMode(config),\n```\n\n### Why This Is Not Intended Behavior\n\nThis is not merely \"the user can execute code because codeMode executes code.\" The vulnerability is that code which is explicitly described and exposed as sandboxed can escape the intended restrictions.\n\nThe implementation itself proves an intended security boundary exists:\n\n- `CODE_MODE_METADATA.capabilities.sandbox` is `true`;\n- the tool description says it executes in a sandboxed environment;\n- direct access to `fs` and `child_process` is explicitly blocked;\n- `process` and `require` are explicitly shadowed as `undefined`;\n- `allowNetwork` defaults to `false`; and\n- the config includes security-relevant controls such as `blockedTools`, `allowedPaths`, `timeoutMs`, and `maxMemoryMb`.\n\nThe PoV shows those intended restrictions work for naive payloads but fail for a standard JavaScript prototype-chain escape.\n\nPraisonAI\u0027s official JavaScript and TypeScript docs describe the npm package as a production-ready agent framework installed with `npm install praisonai`. Public PraisonAI advisories rate comparable Python sandbox escapes as Critical when user/LLM-supplied code crosses from a claimed sandbox into host execution.\n\n## PoV\n\nThe PoV installs a published npm package version into a temporary project and runs from a real CommonJS script file. Running from a file is important because normal Node applications expose `process.mainModule.require`; `node -e` or stdin do not always reproduce that deployment shape.\n\nRun from a local reproduction checkout:\n\n```fish\nnode poc/pov_poc.js 1.7.1\n```\n\nObserved result:\n\n```json\n{\n  \"package\": \"praisonai\",\n  \"version\": \"1.7.1\",\n  \"codeModeExported\": true,\n  \"directRequireFsControl\": {\n    \"stderr\": \"Blocked pattern detected: require\\\\s*\\\\(\\\\s*[\u0027\\\"]fs[\u0027\\\"]\\\\s*\\\\)\",\n    \"exitCode\": 1,\n    \"success\": false,\n    \"error\": \"Code contains blocked patterns for security\"\n  },\n  \"directChildProcessControl\": {\n    \"stderr\": \"Blocked pattern detected: require\\\\s*\\\\(\\\\s*[\u0027\\\"]child_process[\u0027\\\"]\\\\s*\\\\)\",\n    \"exitCode\": 1,\n    \"success\": false,\n    \"error\": \"Code contains blocked patterns for security\"\n  },\n  \"escapedProcessEnv\": {\n    \"output\": \"poc\",\n    \"exitCode\": 0,\n    \"success\": true\n  },\n  \"escapedFilesystem\": {\n    \"output\": \"fs-ok\",\n    \"exitCode\": 0,\n    \"success\": true\n  },\n  \"escapedCommand\": {\n    \"output\": \"poc\",\n    \"exitCode\": 0,\n    \"success\": true\n  }\n}\n```\n\nInterpretation:\n\n- direct `require(\u0027fs\u0027)` is blocked;\n- direct `require(\u0027child_process\u0027)` is blocked;\n- the Function-constructor payload recovers host `process`;\n- the escaped process reads a host environment variable;\n- the escaped process imports `fs`; and\n- the escaped process imports `child_process` and runs a harmless `printf`.\n\nThe PoV does not contact any LLM provider or external service after npm package installation. It does not modify host files or execute a destructive command.\n\n## PoC\n\nThe PoV section above contains the local reproduction command, input, and decisive output.\n\n## Impact\n\nAn attacker who can supply code to `codeMode` can escape the advertised sandbox and execute with the privileges of the Node.js PraisonAI process.\n\nRealistic entry points include:\n\n- an application that exposes `codeMode` as an agent tool to end users;\n- an LLM/tool-call flow where prompt-controlled content reaches the `code` parameter;\n- MCP or tool-registry integrations that make the built-in `codeMode` tool callable; or\n- any multi-tenant service that relies on `codeMode` to safely run user or model-generated JavaScript.\n\nImpact after escape includes:\n\n- reading process environment variables, including API keys and service tokens;\n- reading files available to the Node process;\n- spawning subprocesses with `child_process`;\n- writing or modifying files through host filesystem APIs; and\n- terminating or resource-exhausting the host process.\n\n### Severity\n\nSuggested severity: Critical.\n\nRationale:\n\n- `AV`: `codeMode` is a designated agent/tool surface and can be reached over the network in standard agent applications that expose tool calls to users or LLM-controlled workflows.\n- `AC`: a single code payload is enough.\n- `PR`: the attacker needs the ability to submit code or prompt-controlled content to an agent/tool flow.\n- `UI`: no additional user interaction is required once the tool is invoked.\n- `S`: execution crosses from the advertised sandbox security scope into the host Node.js process.\n- `C`: host files and environment variables are readable.\n- `I`: host subprocess and filesystem APIs are reachable.\n- `A`: escaped code can terminate processes or consume host resources.\n\n## Suggested Fix\n\nDo not use host-process `new Function` plus source-code blocklists as a sandbox.\n\nRecommended fix direction:\n\n1. Disable or clearly mark npm `codeMode` as unsafe until a real isolation boundary exists.\n2. Execute untrusted code in a separate OS process, container, worker isolate, or similar boundary with a restricted user, minimal environment, temporary working directory, no inherited secrets, and explicit IPC for allowed tool calls.\n3. Enforce `allowNetwork`, `allowedPaths`, `timeoutMs`, `maxMemoryMb`, `allowedTools`, and `blockedTools` at that boundary instead of by scanning source strings.\n4. Do not rely on `node:vm` alone for untrusted code. The Node.js documentation explicitly says the `vm` module is not a security mechanism.\n5. Add regression tests for:\n   - direct `require(\u0027fs\u0027)` and `require(\u0027child_process\u0027)` blocked controls;\n   - `({}).constructor.constructor(\u0027return process\u0027)()` blocked;\n   - `process.mainModule.require(\u0027fs\u0027)` unavailable;\n   - `process.mainModule.require(\u0027child_process\u0027)` unavailable;\n   - host environment variables unavailable unless explicitly passed; and\n   - tool-call IPC still works for allowed tools.\n\nIf maintainers need an emergency mitigation before a real sandbox exists, reject `codeMode` execution unless the caller opts into \"unsafe host JS execution\" with clear documentation that it can access the full Node process.\n\n## Affected Package/Versions\n\n- Repository: `MervinPraison/PraisonAI`\n- Ecosystem: `npm`\n- Package: `praisonai`\n- Component: `src/praisonai-ts/src/tools/builtins/code-mode.ts`\n- Current npm version checked: `1.7.1`\n- Refreshed `origin/main` checked: `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n\nConfirmed affected range:\n\n```text\n\u003e= 1.4.0, \u003c= 1.7.1\n```\n\nBoundary:\n\n```text\n1.3.6 does not export codeMode and does not ship dist/tools/builtins/code-mode.js.\n```\n\nNo fixed npm version is known at the time of this report.\n\n### Version Sweep\n\nThe included sweep installs selected npm versions and runs the same vulnerable shape from a script file:\n\n```fish\nnode poc/version_sweep_poc.js\n```\n\nObserved result:\n\n```text\n1.3.6: codeModeExported=false, hasDistCodeMode=false\n1.4.0: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true\n1.5.4: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true\n1.6.0: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true\n1.7.0: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true\n1.7.1: directRequireFsBlocked=true, escapeProcessEnv=true, escapeFilesystem=true, escapeCommand=true\n```\n\nGit history for the TypeScript file points to the 1.4.0 integration:\n\n```text\n56f36e25 feat: bump version to 1.4.0 and add AI SDK integration dependencies\n2bad9a50 feat: bump version to 1.4.0 and add AI SDK integration dependencies\n```\n\n## Advisory History\n\nChecked:\n\n- visible PraisonAI advisories and prior reports;\n- public GitHub advisory search results for PraisonAI `codeMode`, npm, sandbox, `new Function`, `process`, and `child_process`; and\n- visible public PraisonAI advisories for sandbox escapes.\n\nClosest related advisories are Python/PyPI scoped and do not cover this npm TypeScript implementation:\n\n- `GHSA-qf73-2hrx-xprp` / `CVE-2026-39888`: `pip:praisonaiagents` `execute_code()` frame traversal in a Python subprocess sandbox.\n- `GHSA-4mr5-g6f9-cfrh` / `CVE-2026-47392`: `pip:praisonai` Python `execute_code()` sandbox escape through `print.__self__`.\n- Other published PraisonAI sandbox advisories cover Python `execute_code`, `SubprocessSandbox`, Sandlock/native fallback, or CLI/managed-agent bridges.\n\nThis report is distinct because it targets:\n\n- ecosystem: `npm`;\n- package: `praisonai`;\n- component: `src/praisonai-ts/src/tools/builtins/code-mode.ts`;\n- root cause: host-context `new Function` plus blocklist/name-shadowing sandbox; and\n- affected range: `\u003e= 1.4.0, \u003c= 1.7.1`.\n\nOne private npm report has already been submitted for TypeScript `AgentOS` missing authentication (`GHSA-9752-mhqh-h34f`). That is also distinct: it covers unauthenticated HTTP agent listing/invocation, not a `codeMode` sandbox escape.",
  "id": "GHSA-vmmj-pfw7-fjwp",
  "modified": "2026-06-18T14:26:32Z",
  "published": "2026-06-18T14:26:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vmmj-pfw7-fjwp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "npm PraisonAI codeMode sandbox escape via Function constructor"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…