{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/a2a-server-example/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["A2A server example"],"_cs_severities":["critical"],"_cs_tags":["a2a","praisonai","rce","eval"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003eThe PraisonAI A2A server example combines three critical behaviors, leading to remotely exploitable code execution: the example exposes an A2A server without \u003ccode\u003eauth_token\u003c/code\u003e configuration, binds the server to \u003ccode\u003e0.0.0.0\u003c/code\u003e, and registers a \u003ccode\u003ecalculate(expression)\u003c/code\u003e tool implemented with Python \u003ccode\u003eeval(expression)\u003c/code\u003e. An unauthenticated network client can send a JSON-RPC \u003ccode\u003emessage/send\u003c/code\u003e request to the \u003ccode\u003e/a2a\u003c/code\u003e endpoint. The A2A handler then passes the attacker-controlled message to \u003ccode\u003eagent.chat()\u003c/code\u003e. When using a real Gemini LLM (\u003ccode\u003egemini/gemini-2.5-flash-lite\u003c/code\u003e), the model invokes the registered \u003ccode\u003ecalculate\u003c/code\u003e tool, causing the \u003ccode\u003eeval()\u003c/code\u003e call to execute arbitrary Python code in the server process. The impact is demonstrated with a canary writing a marker file from an unauthenticated \u003ccode\u003e/a2a\u003c/code\u003e request. This vulnerability is confirmed for the first-party A2A example and deployments following the same pattern of public unauthenticated A2A combined with an unsafe tool.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a PraisonAI A2A server instance running the vulnerable example with no authentication configured and bound to \u003ccode\u003e0.0.0.0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a JSON-RPC \u003ccode\u003emessage/send\u003c/code\u003e request to the \u003ccode\u003e/a2a\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe A2A server receives the request and passes the message to the \u003ccode\u003eagent.chat()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eagent.chat()\u003c/code\u003e function uses a real LLM (e.g., Gemini) to process the attacker-supplied input.\u003c/li\u003e\n\u003cli\u003eThe LLM determines that the \u003ccode\u003ecalculate\u003c/code\u003e tool is appropriate for the input.\u003c/li\u003e\n\u003cli\u003eThe LLM invokes the \u003ccode\u003ecalculate\u003c/code\u003e tool with an expression crafted by the attacker.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecalculate\u003c/code\u003e tool executes the attacker-controlled expression using Python\u0026rsquo;s \u003ccode\u003eeval()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary Python code execution on the server, potentially leading to data exfiltration, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this vulnerability, as demonstrated in the official example, allows for remote prompt-to-tool execution from an unauthenticated network request. This leads to arbitrary Python execution through the example \u003ccode\u003ecalculate()\u003c/code\u003e tool\u0026rsquo;s \u003ccode\u003eeval()\u003c/code\u003e. The compromise of the server process privileges can then expose application files and internal credentials and environment variables. This could result in denial of service or data corruption through executed code.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDo not expose A2A servers without authentication. Ensure the \u003ccode\u003eauth_token\u003c/code\u003e is configured correctly to prevent unauthenticated access (reference: \u003ccode\u003epraisonaiagents/ui/a2a/a2a.py\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAvoid using \u003ccode\u003eeval()\u003c/code\u003e or similar unsafe functions in registered tools. Implement safe alternatives for calculations and data processing in the \u003ccode\u003ecalculate\u003c/code\u003e tool (reference: \u003ccode\u003eexamples/python/a2a/a2a-server.py\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview all registered A2A tools to ensure they do not provide unintended access to sensitive data or functionality. Consider implementing a whitelist of allowed functions for the \u003ccode\u003ecalculate\u003c/code\u003e tool (reference: \u003ccode\u003eexamples/python/a2a/a2a-server.py\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PraisonAI A2A eval Code Execution\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T22:32:53Z","date_published":"2026-05-29T22:32:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-a2a-rce/","summary":"The PraisonAI A2A server example is vulnerable to remote code execution due to a combination of factors: the example exposes an A2A server without authentication, binds to 0.0.0.0, and registers a `calculate` tool implemented with Python `eval(expression)`.","title":"PraisonAI A2A Server Example Unauthenticated Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-a2a-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — A2A Server Example","version":"https://jsonfeed.org/version/1.1"}