PraisonAI Recipe Registry, Path Traversal, CVE (Pending) (High)

Listen to this Post

How the mentioned CVE works (approx. 20 lines):

The vulnerability exists in PraisonAI’s recipe registry publish endpoint. When a client sends a POST request to /v1/recipes/{name}/{version}, the server first writes the uploaded `.praison` bundle to a temporary file. It then calls `LocalRegistry.publish()` before validating that the `name` and `version` fields inside the bundle’s `manifest.json` match the URL parameters. Inside publish(), the server blindly trusts the attacker‑controlled `name` and `version` from the manifest and constructs a filesystem path by joining the registry root with name/version. Because no sanitisation or validation is performed at this stage, an attacker can embed path traversal sequences like `../../outside-dir` in the manifest’s `name` field. The server then creates directories and copies the bundle to a destination outside the configured registry root. Only after the file has been written does the HTTP handler compare the manifest values with the URL values; if they mismatch, it returns an HTTP 400 error and attempts to delete the recipe entry – but the already‑written file outside the root remains on disk. This order of operations (write‑then‑validate) allows arbitrary file write and path traversal. The issue can be triggered by any network client that can reach the publish endpoint (if no token is used) or by any user with publish privileges (if a token is configured). The proof‑of‑concept uses a manifest with `name = “../../outside-dir”` and a safe URL like safe/1.0.0. The server rejects the request with HTTP 400, yet the file `outside-dir-1.0.0.praison` appears outside the registry root (e.g., under /tmp/). This confirms that the write occurs before the consistency check and that no rollback removes the out‑of‑root artifact.

dailycve form (3 words max per line):

Platform: PraisonAI Recipe Registry
Version: unspecified (all)
Vulnerability: Path traversal write
Severity: High
Date: 2026-04-07

Prediction: Patch expected 2026-04-21

What Undercode Say:

Verify vulnerable behavior (from PoC)
cd "/path/to/PraisonAI"
python3 tmp/pocs/poc.py
Manual check for leftover out-of-root artifact
ls -l /tmp/praisonai-publish-traversal-poc/outside-dir-1.0.0.praison
Find all written files outside registry root
find /tmp/praisonai-publish-traversal-poc -maxdepth 2 | sort
Simulate malicious manifest creation
echo '{"name":"../../outside-dir","version":"1.0.0"}' > manifest.json
tar -czf malicious.praison manifest.json
curl -X POST http://target/v1/recipes/safe/1.0.0 -F "[email protected]"

Exploit:

Attacker crafts a `.praison` bundle containing a `manifest.json` with `name` set to `../../outside-dir` (or any traversal path). The bundle is uploaded to a seemingly safe route, e.g., /v1/recipes/safe/1.0.0. The server writes the bundle to a file outside the registry root (e.g., /tmp/outside-dir-1.0.0.praison) before detecting the name/version mismatch and returning HTTP 400. The leftover file can overwrite sensitive system files, plant malicious content, or interfere with adjacent services.

Protection from this CVE:

  1. Validate `manifest.json` name and `version` against `_validate_name()` and `_validate_version()` before any filesystem operation.
  2. Reject path separators (/, \), .., absolute paths, and any value failing the validation.
  3. Resolve the final destination path using `resolve()` and enforce it stays under `self.recipes_path` before `mkdir()` or copy2().
  4. Move the URL‑to‑manifest consistency check ahead of calling self.registry.publish().
  5. Alternatively, refactor `publish()` to accept pre‑validated route parameters instead of trusting manifest values for storage paths.

Impact:

High integrity impact – attacker can create or overwrite files outside the registry root, potentially modifying application data, planting backdoors, or causing denial of service by overwriting critical runtime files. Availability may be affected if adjacent service files are corrupted. The issue can be chained with other local loading behaviours if the out‑of‑root artifact is later consumed by another component.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top