Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-35615

PraisonAI Has Path Traversal in FileTools
Back to all
CVE

CVE-2026-35615

PraisonAI Has Path Traversal in FileTools

Executive Summary:

The path validation has a critical logic bug: it checks for .. AFTER normpath() has already collapsed all .. sequences. This makes the check completely useless and allows trivial path traversal to any file on the system.

The path validation function also does not resolve the symlink wich could potentially cause path traversal.

Details:

validatepath() calls os.path.normpath() first, which collapses .. sequences, then checks for '..' in normalized. Since .. is already collapsed, the check always passes.

Vulnerable File:

src/praisonai-agents/praisonaiagents/tools/file_tools.py

Lines:

42-49

class FileTools:
    """Tools for file operations including read, write, list, and information."""
    
    @staticmethod
    def _validate_path(filepath: str) -> str:
        # Normalize the path
        normalized = os.path.normpath(filepath)
        absolute = os.path.abspath(normalized)
        
        # Check for path traversal attempts (.. after normalization)
        # We check the original input for '..' to catch traversal attempts
        if '..' in normalized:
            raise ValueError(f"Path traversal detected: {filepath}")
        
        return absolute

Severity: CRITICAL

CVSS v3.1: 9.2 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Proof of concept (PoC)

Prerequisites:

  • Ability to specify a file path can call file operations

Steps to reproduce:

poc.py

from praisonaiagents.tools.file_tools import FileTools
print(FileTools._validate_path('/tmp/../etc/passwd'))
## Returns: /etc/passwd
print(FileTools.read_file('/tmp/../etc/passwd'))
## Returns: content of /etc/passwd

Why this works:

## Current vulnerable code:
normalized = os.path.normpath(filepath)  # Collapses .. HERE
absolute = os.path.abspath(normalized)
if '..' in normalized:  # Check AFTER collapse - ALWAYS FALSE!
    raise ValueError(...)

Impact:

  • Complete bypass of path traversal protection
  • Access to ANY file on the system with path from any starting directory
  • Read sensitive files: /etc/passwd/etc/shadow~/.ssh/id_rsa
  • Write arbitrary files if combined with write operations
  • Affect file operations read_filewrite_filelist_filesgetfileinfocopy_filemove_filedelete_filedownload_file

Additional Notes:

  • Fix: Check for '..' in filepath BEFORE calling normpath(), not after
  • validatepath uses os.path.normpath and os.path.abspath, which don't resolve symlinks, making it vulnerable to path traversal via symlink if attacker can control the symlink.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-693f-pf34-72c5, https://github.com/MervinPraison/PraisonAI, https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113

Severity

0

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
0
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0
Fix Available
1.5.113

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading