PraisonAI Remote Code Execution via Malicious Workflow YAML

PraisonAI is vulnerable to remote code execution via specially crafted YAML files. The vulnerability stems from the praisonai workflow run <file.yaml> command, which, when processing YAML files with type: job, executes steps through the JobWorkflowExecutor class in job_workflow.py. This execution path supports shell command execution via subprocess.run(), inline Python execution via exec(), and arbitrary Python script execution. An attacker can leverage this to inject malicious code into a YAML file, such as exploit.yaml, to achieve arbitrary host command execution. Versions of pip/praisonaiagents up to and including 1.5.139 and pip/PraisonAI up to and including 4.5.138 are affected. This is especially critical in CI/CD environments or shared deployment contexts where untrusted YAML files may be processed.

Attack Chain

1. An attacker crafts a malicious YAML file (e.g., exploit.yaml) containing commands to be executed.
2. The attacker gains access to a system where PraisonAI is installed and can execute the praisonai command.
3. The attacker executes the command praisonai workflow run exploit.yaml, pointing to the malicious YAML file.
4. PraisonAI parses the YAML file and identifies the type: job directive.
5. The JobWorkflowExecutor class in job_workflow.py is invoked to process the workflow steps.
6. Within the workflow steps, commands specified using run:, script:, or python: directives are executed. Specifically, _exec_shell() executes shell commands, _exec_inline_python() executes inline Python, and _exec_python_script() executes Python scripts.
7. The malicious code executes, performing actions such as writing files (e.g., pwned.txt) or executing arbitrary system commands.
8. The attacker achieves arbitrary code execution on the host system, leading to potential system compromise.

Impact

Successful exploitation allows a remote or local attacker to execute arbitrary host commands and code. This can lead to full system compromise, including data theft, modification, or destruction. In CI/CD or shared deployment contexts, this could impact multiple systems or applications. The reporter marked this as a critical severity vulnerability.

Recommendation

• Upgrade pip/praisonaiagents and pip/PraisonAI to versions greater than 1.5.139 and 4.5.138, respectively, to patch the vulnerability as stated in the overview.
• Implement strict input validation and sanitization for all YAML files processed by PraisonAI, paying close attention to the type: job directive to prevent execution of arbitrary commands and code.
• Deploy the Sigma rule “Detect PraisonAI Workflow Execution with Suspicious YAML” to your SIEM to detect potential exploitation attempts, based on log source process_creation.