GHSA-GQMF-56H7-RRPF

GHSA-GQMF-56H7-RRPF is a high-severity security vulnerability in praisonai (npm), affecting versions >= 1.2.3, <= 1.7.1. It is fixed in 1.7.2.

Summary

The published npm package praisonai exports a TypeScript SandboxExecutor with a network-isolated mode. The CLI lists that mode as:

network-isolated  No network access (proxy blocked)

The implementation does not create a network namespace, firewall rule, socket filter, or proxy-enforced execution boundary. It only injects proxy environment variables into the child process:

http_proxy: 'http://localhost:0',
https_proxy: 'http://localhost:0',
HTTP_PROXY: 'http://localhost:0',
HTTPS_PROXY: 'http://localhost:0',
no_proxy: '',
NO_PROXY: ''

Clients that do not explicitly honor those proxy variables continue to use the host network stack. A local-only PoV shows that, inside mode: "network-isolated", a proxy-aware Node invocation is stopped, while a plain Node HTTP client reaches a loopback HTTP server from the same sandboxed command environment.

This is a network-isolation protection failure in an exported npm API and CLI mode. It is not a generic claim that every PraisonAI sandbox backend is affected.

Technical Details

src/praisonai-ts/src/cli/features/sandbox-executor.ts declares the mode:

export type SandboxMode = 'disabled' | 'basic' | 'strict' | 'network-isolated';

SandboxExecutor.spawn() starts the command through the host shell and passes only the environment returned by buildEnv():

const proc = spawn('sh', ['-c', command], {
  cwd: this.config.cwd,
  env,
  timeout: this.config.timeout,
  stdio: ['pipe', 'pipe', 'pipe']
});

For network-isolated, buildEnv() does not apply an OS-level network restriction. It only sets proxy variables:

case 'network-isolated':
  // No network access (requires additional OS-level setup)
  return {
    ...baseEnv,
    http_proxy: 'http://localhost:0',
    https_proxy: 'http://localhost:0',
    HTTP_PROXY: 'http://localhost:0',
    HTTPS_PROXY: 'http://localhost:0',
    no_proxy: '',
    NO_PROXY: ''
  };

The CLI mode listing presents this as no network access:

'network-isolated': 'No network access (proxy blocked)'

That creates a false boundary. Proxy variables affect only clients that choose to read and honor them. Other clients can still open sockets directly from the child process.

Why This Is Not Intended Behavior

The vulnerable behavior is not "commands can run." The issue is that a mode named network-isolated and displayed to users as "No network access" still allows direct socket access.

The source comment says network-isolated requires additional OS-level setup, which is consistent with the finding: proxy variables alone are not a network isolation mechanism. The exported npm API and CLI mode do not provide such setup or warn callers that this mode is only a best-effort proxy hint.

If the intended behavior is merely "set proxy variables for cooperative clients," the mode name and CLI description should be changed so users do not rely on it as a security boundary.

PoV

Run from a local reproduction checkout:

node poc/pov_poc.js 1.7.1

The PoV:

  1. Installs npm:[email protected] into a temporary project.
  2. Starts a harmless HTTP server bound to 127.0.0.1 on a random local port.
  3. Creates new SandboxExecutor({ mode: "network-isolated" }).
  4. Confirms the child environment contains the proxy variables.
  5. Runs node --use-env-proxy client.js as a proxy-aware control. It fails and does not reach the server.
  6. Runs node client.js without proxy opt-in. It reaches the server and prints the marker.

Observed output summary from evidence/pov-npm-1.7.1.json:

{
  "version": "1.7.1",
  "mode": "network-isolated",
  "control": {
    "localServerBoundToLoopback": true,
    "proxyVariablesSet": true,
    "proxyAwareClientStopped": true,
    "requestReachedLoopbackServer": true
  },
  "observed": {
    "proxyAwareRun": {
      "success": false,
      "stdout": "",
      "exitCode": 2
    },
    "netRun": {
      "success": true,
      "stdout": "BODY=poc\n",
      "exitCode": 0
    },
    "loopbackHitCount": 1
  },
  "vulnerable": true
}

The PoV is local-only. It does not contact any external host after npm package installation, and it does not use cloud metadata or destructive commands.

PoC

The PoV section above contains the local reproduction command, input, and decisive output.

Severity

Suggested severity: High.

Rationale:

  • AV: common use is a network-facing application or agent service that accepts user or prompt-controlled work and executes it through the sandbox.
  • AC: a single command using a non-proxy-aware network client is sufficient.
  • PR: conservative scoring assumes the attacker can submit prompts or work items to the application using PraisonAI.
  • UN: no additional operator interaction is required once the command is executed.
  • S: impact is scored against the PraisonAI-hosting process and its network privileges.
  • C: network egress can allow data exfiltration from the sandboxed command context.
  • I/A: reachable internal services can receive attacker-controlled requests, with impact depending on deployment.

If maintainers score only local CLI use, AV:L may be appropriate. If a deployment exposes this through unauthenticated agent endpoints, PR:N may be appropriate.

Affected Package/Versions

  • Repository: MervinPraison/PraisonAI
  • Ecosystem: npm
  • Package: praisonai
  • Component: TypeScript CLI feature SandboxExecutor
  • Latest npm package validated: 1.7.1
  • Current origin/main validated: 1ad58ca02975ff1398efeda694ea2ab78f20cf3e
  • src/praisonai-ts/package.json at origin/main: praisonai 1.7.1

Suggested affected range:

npm:praisonai >= 1.2.3, <= 1.7.1

Selected version sweep:

  • 1.0.0: package main cannot be required in the selected test environment.
  • 1.0.19, 1.1.0, 1.2.0, 1.2.1, 1.2.2: SandboxExecutor is not exported.
  • 1.2.3: vulnerable.
  • 1.2.4: vulnerable.
  • 1.3.0: vulnerable.
  • 1.3.6: vulnerable.
  • 1.4.0: vulnerable.
  • 1.5.0: vulnerable.
  • 1.5.4: vulnerable.
  • 1.6.0: vulnerable.
  • 1.7.0: vulnerable.
  • 1.7.1: vulnerable.

Advisory History

Visible PraisonAI advisories and prior submissions were checked. The closest related findings are distinct:

  • GHSA-r4f2-3m54-pp7q covers PyPI SubprocessSandbox shell=True and blocklist bypass.
  • GHSA-6jcq-6546-qrrw covers Python Sandlock fallback to unrestricted subprocess execution when native Landlock is unavailable.
  • GHSA-vmmj-pfw7-fjwp covers npm codeMode host-process new Function sandbox escape.
  • GHSA-vjv9-7m7j-h833 covers npm SandboxExecutor allowedCommands bypass through shell chaining.

This report is narrower and distinct: npm TypeScript SandboxExecutor network-isolated mode advertises no network access but enforces only proxy environment variables, so non-proxy-aware clients keep network access without needing shell chaining or a disallowed executable.

Impact

Applications often use sandbox network controls to prevent prompt-injected, user-supplied, or model-generated commands from exfiltrating secrets or reaching internal services. A caller who relies on network-isolated mode for that boundary can still get network egress by using any client that ignores proxy environment variables or by using direct socket APIs.

Depending on the hosting environment, this can allow:

  • exfiltration from commands that can read local files, process output, or inherited environment variables;
  • access to localhost or internal network services reachable from the PraisonAI host;
  • requests to cloud metadata or service endpoints if the host network permits them; and
  • bypass of application policy that allows command execution only under a no-network assumption.

This report does not claim that npm PraisonAI exposes this as an unauthenticated network service by default. It is a library-level isolation bypass in an exported TypeScript API and CLI mode.

GHSA-GQMF-56H7-RRPF has a CVSS score of 7.6 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.7.2); upgrading removes the vulnerable code path.

Affected versions

praisonai (>= 1.2.3, <= 1.7.1)

Security releases

praisonai → 1.7.2 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Do not represent proxy environment variables as network isolation.

Recommended:

  1. For a true network-isolated mode, run commands inside an execution boundary with OS-enforced network denial, such as a network namespace, firewall rule, sandbox profile, container, VM, or platform-specific socket filter.
  2. Add regression tests that start a loopback server and verify that direct socket clients, Node http.get, Python sockets, curl, and other common clients cannot connect under network-isolated.
  3. If only proxy hints are intended, rename the mode to something like proxy-blocked, document that it is not a security boundary, and keep "network-isolated" unavailable until OS-level enforcement exists.
  4. Consider default-deny egress with explicit allowlists for destinations that must remain reachable from sandboxed commands.

Frequently Asked Questions

  1. What is GHSA-GQMF-56H7-RRPF? GHSA-GQMF-56H7-RRPF is a high-severity security vulnerability in praisonai (npm), affecting versions >= 1.2.3, <= 1.7.1. It is fixed in 1.7.2.
  2. How severe is GHSA-GQMF-56H7-RRPF? GHSA-GQMF-56H7-RRPF has a CVSS score of 7.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of praisonai are affected by GHSA-GQMF-56H7-RRPF? praisonai (npm) versions >= 1.2.3, <= 1.7.1 is affected.
  4. Is there a fix for GHSA-GQMF-56H7-RRPF? Yes. GHSA-GQMF-56H7-RRPF is fixed in 1.7.2. Upgrade to this version or later.
  5. Is GHSA-GQMF-56H7-RRPF exploitable, and should I be worried? Whether GHSA-GQMF-56H7-RRPF is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-GQMF-56H7-RRPF is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-GQMF-56H7-RRPF? Upgrade praisonai to 1.7.2 or later.

Other vulnerabilities in praisonai

Stop the waste.
Protect your environment with Kodem.