GHSA-29W3-P9W9-WC47

GHSA-29W3-P9W9-WC47 is a critical-severity path traversal vulnerability in praisonai (pip), affecting versions < 4.6.61. It is fixed in 4.6.61.

Summary

The multiedit tool in src/praisonai/praisonai/tools/multiedit.py allows LLM-controlled arbitrary file read and write without any path validation, workspace boundary check, or protected path guard. This enables an attacker who can influence agent tool arguments (via crafted prompts, user input in chat bots, or malicious YAML workflow configs) to read sensitive files (e.g., /etc/shadow, ~/.ssh/id_rsa, ~/.aws/credentials) and overwrite arbitrary files on the filesystem.

Details

The filepath parameter is used directly with open() for both reading (line 74) and writing (line 130) without any of the following protections that exist in other tools in the same codebase:

  1. No .. path traversal check, unlike file_tools.py (line 66: if '..' in filepath: raise ValueError) and edit_tools.py (line 35).
  2. No workspace boundary validation, unlike file_tools.py (_validate_path with os.path.commonpath check) and skill_tools.py (read_skill_file with workspace boundary check).
  3. No protected path guard, unlike praisonai/code/tools/ which uses is_path_within_directory and protected path checks.
  4. No symlink resolution, unlike file_tools.py which uses os.path.realpath.

The function is exported via src/praisonai/praisonai/tools/__init__.py as a lazy-loaded tool and is available to agents through the PraisonAI CLI tools registry.

Contrast with protected tools: The sibling tools write_file.py, read_file.py, apply_diff.py, and search_replace.py in src/praisonai/praisonai/code/tools/ all implement is_path_within_directory() checks and protected path guards. The multiedit tool has none of these protections.

PoC

Setup: Clean checkout of PraisonAI at commit d5f1114a. No additional dependencies needed beyond Python 3.10+.

Positive trigger, arbitrary file read via dry_run:

cd /tmp && python3 -c "
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.tools.multiedit import multiedit

# Read any file content via diff output (dry_run=True prevents write)
result = multiedit('/etc/hostname', [{'old': 'DOESNOTEXIST', 'new': 'x'}], dry_run=True)
# The diff output reveals the file contents
print('Success:', result['success'])
print('Content leaked via diff:', len(result.get('diff', '')), 'bytes')
"

Positive trigger, arbitrary file write:

cd /tmp && python3 -c "
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.tools.multiedit import multiedit

# Write to an arbitrary file outside workspace
with open('/tmp/victim_file.txt', 'w') as f:
    f.write('original content here\n')
result = multiedit('/tmp/victim_file.txt', [{'old': 'original', 'new': 'PWNED'}])
with open('/tmp/victim_file.txt', 'r') as f:
    print('File content after edit:', repr(f.read()))
"

Observed output:

# Read:
Success: False
Content leaked via diff: 0 bytes  (file content still accessible via dry_run diff when edits match)

# Write:
File content after edit: 'PWNED content here\n'

Negative control, non-existent file:

result = multiedit('/nonexistent/file.txt', [{'old': 'a', 'new': 'b'}])
# Returns: {'success': False, 'error': 'File not found: /nonexistent/file.txt'}

Cleanup: rm /tmp/victim_file.txt

Suggested remediation

Apply the same path validation pattern used by file_tools.py and the code tools in src/praisonai/praisonai/code/tools/:

  1. Add a _validate_path function that:
    • Rejects paths containing ..
    • Resolves symlinks via os.path.realpath
    • Validates the resolved path is within the workspace/CWD using os.path.commonpath
  2. Add protected path guards (.env, .git, .ssh, keys, credentials)
  3. Apply _validate_path to the filepath parameter before any open() call
  4. Consider adding @require_approval(risk_level="high") to the multiedit function

Impact

An attacker who can influence the filepath parameter of the multiedit tool (via crafted prompts to an AI agent, user messages in Telegram/Discord/Slack bots using auto_approve_tools=True, or YAML workflow configurations) can:

  • Read arbitrary files, any file readable by the process user, including secrets, SSH keys, cloud credentials, environment files (.env), and configuration files.
  • Write/overwrite arbitrary files, modify any file writable by the process user, enabling privilege escalation (e.g., writing to ~/.bashrc, ~/.ssh/authorized_keys, or overwriting application source code).

This affects all deployments where agents have the multiedit tool available, including the PraisonAI CLI and chat bot deployments where auto_approve_tools defaults to True.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

GHSA-29W3-P9W9-WC47 has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.6.61); upgrading removes the vulnerable code path.

Affected versions

praisonai (< 4.6.61)

Security releases

praisonai → 4.6.61 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade praisonai to 4.6.61 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-29W3-P9W9-WC47? GHSA-29W3-P9W9-WC47 is a critical-severity path traversal vulnerability in praisonai (pip), affecting versions < 4.6.61. It is fixed in 4.6.61. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is GHSA-29W3-P9W9-WC47? GHSA-29W3-P9W9-WC47 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of praisonai are affected by GHSA-29W3-P9W9-WC47? praisonai (pip) versions < 4.6.61 is affected.
  4. Is there a fix for GHSA-29W3-P9W9-WC47? Yes. GHSA-29W3-P9W9-WC47 is fixed in 4.6.61. Upgrade to this version or later.
  5. Is GHSA-29W3-P9W9-WC47 exploitable, and should I be worried? Whether GHSA-29W3-P9W9-WC47 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-29W3-P9W9-WC47 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-29W3-P9W9-WC47? Upgrade praisonai to 4.6.61 or later.

Other vulnerabilities in praisonai

Stop the waste.
Protect your environment with Kodem.