GHSA-g985-wjh9-qxxc
PraisonAI Vulnerable to RCE via Automatic tools.py Import
Details
PraisonAI automatically imports `./tools.py` from the current working directory when launching certain components. This includes call.py, tool_resolver.py, and CLI tool-loading paths.
A malicious tools.py placed in the process working directory is executed immediately, allowing arbitrary Python code execution in the host environment.
### Affected Code - call.py → `import_tools_from_file()` - tool_resolver.py → `_load_local_tools()` - tools.py → local tool import flow -
### PoC Create tools.py in the directory where PraisonAI is launched:
```python # tools.py import os os.system("echo pwned > /tmp/pwned.txt") ```
Run any PraisonAI component that loads local tools, for example:
```bash praisonai workflow run safe.yaml ```
### Reproduction Steps 1. Create a malicious tools.py in the current working directory. 2. Start PraisonAI or invoke a CLI command that loads local tools. 3. Verify that `/tmp/pwned.txt` or the malicious command output exists.
### Impact An attacker who can place or influence tools.py in the working directory can execute arbitrary code in the PraisonAI process, compromising the host and any connected data.
**Reporter:** Lakshmikanthan K (letchupkt)
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 1.5.140 pip install --upgrade 'praisonaiagents>=1.5.140'