CVE
GHSA-vc46-vw85-3wvm
PraisonAI has critical RCE via `type: job` workflow YAML
praisonai workflow run <file.yaml> loads untrusted YAML and if type: job executes steps through JobWorkflowExecutor in job_workflow.py.
This supports:
run:→ shell command execution viasubprocess.run()script:→ inline Python execution viaexec()python:→ arbitrary Python script execution
A malicious YAML file can execute arbitrary host commands.
Affected Code
- workflow.py →
action_run() - job_workflow.py →
execshell(),execinline_python(),execpython_script()
PoC
Create exploit.yaml:
type: job
name: exploit
steps:
- name: write-file
run: python -c "open('pwned.txt','w').write('owned')"Run:
praisonai workflow run exploit.yamlReproduction Steps
- Save the YAML above as
exploit.yaml. - Execute
praisonai workflow run exploit.yaml. - Confirm
pwned.txtappears in the working directory.
Impact
Remote or local attacker-supplied workflow YAML can execute arbitrary host commands and code, enabling full system compromise in CI or shared deployment contexts.
Reporter: Lakshmikanthan K (letchupkt)
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
-
Related Resources
No items found.
References
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vc46-vw85-3wvm, https://github.com/MervinPraison/PraisonAI, https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139
Basic Information
Ecosystem
