Praisonaiagents
Monthly
Remote attackers can invoke arbitrary application callables in PraisonAI multi-agent systems by manipulating tool-call names to bypass tool declaration controls. Vulnerable versions (praisonai <4.6.37, praisonaiagents <1.6.37) resolve unmatched tool names against module globals and __main__ namespaces without permission validation when _perm_allow is None (default configuration). This enables unauthorized function execution beyond the intended tool list, allowing integrity compromise and potential information disclosure. Patched versions 4.6.37 and 1.6.37 address the tool name resolution vulnerability.
Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140) allows network attackers to control browser automation sessions without authentication. The /ws WebSocket endpoint accepts connections from any client omitting the Origin header, enabling attackers to send start_session commands that hijack idle browser-extension sessions and receive all automation outputs. With CVSS 9.1 (Critical) scoring driven by network attack vector, low complexity, and no authentication requirement (AV:N/AC:L/PR:N), this represents a severe risk in any deployment where the default 0.0.0.0 binding exposes the service to untrusted networks. No public exploit identified at time of analysis, though exploitation requires only basic WebSocket client capabilities.
Server-Side Request Forgery (SSRF) in PraisonAIAgents versions prior to 1.5.128 allows unauthenticated attackers to manipulate LLM agents into crawling arbitrary internal URLs. The httpx fallback crawler accepts user-supplied URLs without host validation and follows redirects, enabling access to cloud metadata endpoints (169.254.169.254), internal services, and localhost. Response content is returned to the agent and may be exposed in attacker-visible output. This vulnerability is the default behavior on fresh installations without Tavily API keys or Crawl4AI dependencies. No public exploit identified at time of analysis.
Environment variable exfiltration in PraisonAIAgents versions prior to 1.5.128 allows unauthenticated remote attackers to steal secrets (database credentials, API keys, cloud access keys) through shell_tools.py execute_command function. The vulnerability leverages deceptive command approval where unexpanded $VAR references shown to human reviewers differ from executed commands containing expanded environment variable values. Requires user interaction. No public exploit identified at time of analysis.
Server-side request forgery in PraisonAIAgents multi-agent system allows authenticated attackers to force internal network reconnaissance and data exfiltration through unvalidated URL crawling. The web_crawl() function in versions prior to 1.5.128 accepts arbitrary URLs from AI agents without scheme allowlisting, hostname blocking, or private network checks, enabling access to cloud metadata endpoints (AWS/Azure/GCP), internal services, and local filesystems via file:// URIs. Exploitation requires low-privileged authenticated access with network reachability and no user interaction. No public exploit identified at time of analysis.
PraisonAIAgents versions prior to 1.5.128 allow unauthenticated local attackers to read arbitrary files from the filesystem via the read_skill_file() function in skill_tools.py, which lacks the workspace boundary protections and approval requirements enforced by comparable file access functions. An agent subjected to prompt injection can exfiltrate sensitive files without user awareness or approval prompts, enabling confidentiality compromise with CVSS 6.2 (local attack vector, high confidentiality impact). No public exploit code or active exploitation has been reported at the time of analysis.
Command injection in PraisonAIAgents memory hooks executor allows authenticated local attackers to execute arbitrary shell commands through unsanitized user input passed to subprocess.run() with shell=True. Affects versions prior to 1.5.128. Two attack vectors exist: direct exploitation via hook configuration (pre_run_command/post_run_command) and automated exploitation through .praisonai/hooks.json lifecycle hooks (BEFORE_TOOL/AFTER_TOOL). Agent prompt injection enables persistent compromise by overwriting hooks.json, executing payloads silently at every lifecycle event without user interaction. No public exploit identified at time of analysis.
Remote attackers can invoke arbitrary application callables in PraisonAI multi-agent systems by manipulating tool-call names to bypass tool declaration controls. Vulnerable versions (praisonai <4.6.37, praisonaiagents <1.6.37) resolve unmatched tool names against module globals and __main__ namespaces without permission validation when _perm_allow is None (default configuration). This enables unauthorized function execution beyond the intended tool list, allowing integrity compromise and potential information disclosure. Patched versions 4.6.37 and 1.6.37 address the tool name resolution vulnerability.
Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140) allows network attackers to control browser automation sessions without authentication. The /ws WebSocket endpoint accepts connections from any client omitting the Origin header, enabling attackers to send start_session commands that hijack idle browser-extension sessions and receive all automation outputs. With CVSS 9.1 (Critical) scoring driven by network attack vector, low complexity, and no authentication requirement (AV:N/AC:L/PR:N), this represents a severe risk in any deployment where the default 0.0.0.0 binding exposes the service to untrusted networks. No public exploit identified at time of analysis, though exploitation requires only basic WebSocket client capabilities.
Server-Side Request Forgery (SSRF) in PraisonAIAgents versions prior to 1.5.128 allows unauthenticated attackers to manipulate LLM agents into crawling arbitrary internal URLs. The httpx fallback crawler accepts user-supplied URLs without host validation and follows redirects, enabling access to cloud metadata endpoints (169.254.169.254), internal services, and localhost. Response content is returned to the agent and may be exposed in attacker-visible output. This vulnerability is the default behavior on fresh installations without Tavily API keys or Crawl4AI dependencies. No public exploit identified at time of analysis.
Environment variable exfiltration in PraisonAIAgents versions prior to 1.5.128 allows unauthenticated remote attackers to steal secrets (database credentials, API keys, cloud access keys) through shell_tools.py execute_command function. The vulnerability leverages deceptive command approval where unexpanded $VAR references shown to human reviewers differ from executed commands containing expanded environment variable values. Requires user interaction. No public exploit identified at time of analysis.
Server-side request forgery in PraisonAIAgents multi-agent system allows authenticated attackers to force internal network reconnaissance and data exfiltration through unvalidated URL crawling. The web_crawl() function in versions prior to 1.5.128 accepts arbitrary URLs from AI agents without scheme allowlisting, hostname blocking, or private network checks, enabling access to cloud metadata endpoints (AWS/Azure/GCP), internal services, and local filesystems via file:// URIs. Exploitation requires low-privileged authenticated access with network reachability and no user interaction. No public exploit identified at time of analysis.
PraisonAIAgents versions prior to 1.5.128 allow unauthenticated local attackers to read arbitrary files from the filesystem via the read_skill_file() function in skill_tools.py, which lacks the workspace boundary protections and approval requirements enforced by comparable file access functions. An agent subjected to prompt injection can exfiltrate sensitive files without user awareness or approval prompts, enabling confidentiality compromise with CVSS 6.2 (local attack vector, high confidentiality impact). No public exploit code or active exploitation has been reported at the time of analysis.
Command injection in PraisonAIAgents memory hooks executor allows authenticated local attackers to execute arbitrary shell commands through unsanitized user input passed to subprocess.run() with shell=True. Affects versions prior to 1.5.128. Two attack vectors exist: direct exploitation via hook configuration (pre_run_command/post_run_command) and automated exploitation through .praisonai/hooks.json lifecycle hooks (BEFORE_TOOL/AFTER_TOOL). Agent prompt injection enables persistent compromise by overwriting hooks.json, executing payloads silently at every lifecycle event without user interaction. No public exploit identified at time of analysis.