PraisonAI MCP Path Traversal to RCE via .pth Injection

PraisonAI’s MCP (Model Context Protocol) server registers four file-handling tools by default: praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joins it onto ~/.praison/rules/ (or accepts an absolute path for workflow.show) without proper validation. The JSON-RPC dispatcher passes params["arguments"] without validating against the advertised input schema. This allows an attacker to write arbitrary files by escaping the rules directory, leading to arbitrary code execution via Python .pth injection into the user site-packages directory. The vulnerability can be exploited via LLMs with poisoned context, unauthenticated HTTP-stream transports, or prompt injection. No operator misconfiguration is required to trigger the vulnerability.

Attack Chain

1. An attacker poisons the context of an LLM connected to a PraisonAI MCP server through attacker-controlled web content, documents, or emails.
2. The user interacts with the LLM, asking it to summarize or analyze the poisoned content, which contains a crafted command.
3. The LLM, under prompt injection, crafts a tools/call request to the MCP server, targeting praisonai.rules.create with a malicious rule_name.
4. The crafted rule_name includes path traversal sequences (e.g., ../../) to write a file outside the intended rules directory.
5. The MCP server’s rules.create handler, lacking containment checks, writes the file to a location such as the user’s site-packages directory (e.g., ~/.local/lib/python3.14/site-packages/evil.pth).
6. The written file is a Python .pth file containing an import os; os.system("malicious_command") statement.
7. The next time the user starts a Python interpreter (including the praisonai CLI), the .pth file is processed, executing the attacker’s arbitrary code.
8. The attacker achieves arbitrary code execution with the user’s privileges, potentially leading to data exfiltration, system compromise, or lateral movement.

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution on the victim’s machine. This can lead to data exfiltration, installation of malware, or further compromise of the system. The vulnerability affects any user running a PraisonAI MCP server connected to an LLM without proper input validation, and the default configuration of the HTTP-stream transport exposes the server to local attacks without requiring authentication. The impact is significant as it can compromise the user’s entire system and any data accessible to the user account.

Recommendation

• Apply input validation and containment to all file-handling tools. Specifically, implement checks to prevent path traversal in praisonai.rules.create, praisonai.rules.show, and praisonai.rules.delete as detailed in the “Suggested fix” section of the advisory.
• Enforce schema validation in the MCP dispatcher to ensure that params["arguments"] conforms to the expected schema, rejecting unknown properties and type mismatches.
• Restrict the workflow.show tool to only accept paths within a designated workflow directory and reject absolute paths or any value containing .., as outlined in the “Suggested fix” section.
• Deploy the Sigma rules provided in this brief to detect potential exploitation attempts and tune them for your environment.
• Require authentication on non-loopback HTTP-stream binds to prevent unauthorized access to the MCP server when using praisonai mcp serve --transport http-stream.