PraisonAI, Path Traversal, GHSA-4ph2-f6pf-79wv (Critical)

Listen to this Post

The vulnerability stems from the unsafe extraction of tar archives during the recipe pull process. The `LocalRegistry.pull()` and `HttpRegistry.pull()` methods in `src/praisonai/praisonai/recipe/registry.py` use Python’s `tarfile.extractall()` without validating archive member paths. A malicious publisher can create a `.praison` bundle containing a `manifest.json` that passes checksum verification. However, the bundle also includes tar members with path traversal sequences, such as ../../escape-http.txt. When a victim pulls this recipe, the `extractall()` method writes files outside the intended output directory. The HTTP registry client is also vulnerable, as it downloads and extracts the bundle in the same unsafe manner. This allows an attacker to perform arbitrary file writes on the victim’s filesystem. The vulnerability is client-side and affects both local and HTTP registry pull paths. Checksum verification does not prevent exploitation because the traversal payload is part of the signed bundle itself. The issue has been verified by creating an `escape-http.txt` file outside the victim’s output directory. The PoC script demonstrates the vulnerability by publishing a malicious bundle and confirming the file is written outside the chosen directory.

DailyCVE Form

Platform: PraisonAI framework
Version: <=4.5.112
Vulnerability: Path traversal
Severity: Critical
Date: 2026-04-06

Prediction: Patch by 2026-04-20

What Undercode Say:

Analytics

Count vulnerable instances
grep -r "tarfile.open" src/praisonai/praisonai/recipe/registry.py | wc -l
Check for unsafe extractall usage
grep -A5 "tar.extractall" src/praisonai/praisonai/recipe/registry.py

Exploit

import tarfile
import os
Create malicious tar with path traversal
with tarfile.open('malicious.praison', 'w:gz') as tar:
info = tarfile.TarInfo('../../escape-http.txt')
info.size = len(b'owned over http')
tar.addfile(info, fileobj=BytesIO(b'owned over http'))

Protection from this CVE

def safe_extract(tar, path):
for member in tar.getmembers():
member_path = os.path.join(path, member.name)
if not os.path.realpath(member_path).startswith(os.path.realpath(path)):
raise Exception("Path traversal detected")
tar.extractall(path)

Impact

Arbitrary file write outside intended directory, leading to system corruption or remote code execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top