Product

Npm:praisonai (>= 1.2.3, <= 1.7.1)

1 brief RSS

npm PraisonAI SandboxExecutor allowedCommands bypass via shell chaining

A critical command injection vulnerability exists in the `npm:praisonai` package versions >= 1.2.3 and <= 1.7.1, where the `SandboxExecutor`'s `allowedCommands` policy is bypassed by allowing arbitrary shell command chaining after an allowlisted command, leading to remote code execution with the PraisonAI process privileges.

npm:praisonai command-injection npm nodejs sandbox-bypass vulnerability rce server-side

1r 1t 2d ago