{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonai--2.6.0--4.6.57/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonai (\u003e= 2.6.0, \u003c= 4.6.57)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","application-vulnerability","python","file-write","file-deletion"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI's template loader, particularly versions 2.6.0 through 4.6.57, contains a path traversal vulnerability (GHSA-f44v-7qgw-9gh9) that allows an attacker to manipulate file system operations. The issue stems from insufficient validation of user-controlled \u003ccode\u003eref\u003c/code\u003e and \u003ccode\u003etemplate path\u003c/code\u003e segments within GitHub template URIs (e.g., \u003ccode\u003egithub:owner/repo/template@v1.0.0\u003c/code\u003e). When a crafted URI with directory traversal sequences (\u003ccode\u003e..\u003c/code\u003e) is processed, PraisonAI's cache layer constructs file paths that escape its intended cache directory. This enables an attacker to either write arbitrary \u003ccode\u003e.cache_meta.json\u003c/code\u003e files to unintended locations or, under specific conditions, delete arbitrary directories on the host system. This vulnerability, distinct from Zip Slip attacks, does not require malicious archives and affects PraisonAI installations across various operating systems, posing a significant risk of data corruption or denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious PraisonAI GitHub template URI containing directory traversal sequences (e.g., \u003ccode\u003egithub:attacker/repo/template@../../../../outside-target\u003c/code\u003e) within the \u003ccode\u003eref\u003c/code\u003e portion.\u003c/li\u003e\n\u003cli\u003eA user or automated service loads this crafted URI using PraisonAI's \u003ccode\u003eTemplateLoader.load()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003ePraisonAI's template resolver (\u003ccode\u003epraisonai/templates/resolver.py\u003c/code\u003e) captures the owner, repo, template path, and the malicious \u003ccode\u003eref\u003c/code\u003e verbatim without segment validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_get_cache_path()\u003c/code\u003e function in \u003ccode\u003epraisonai/templates/cache.py\u003c/code\u003e concatenates these unvalidated segments to construct a local cache path, resulting in a path that escapes the intended \u003ccode\u003e~/.praison/cache/templates/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eScenario A (Arbitrary File Write):\u003c/strong\u003e During the first load, the \u003ccode\u003ecache.put()\u003c/code\u003e method attempts to write the \u003ccode\u003e.cache_meta.json\u003c/code\u003e file to the attacker-controlled escaped path.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eScenario B (Arbitrary Directory Deletion):\u003c/strong\u003e If a legitimate cache entry for the \u003cem\u003esame owner/repo/template prefix\u003c/em\u003e already exists, a subsequent load with the malicious URI causes \u003ccode\u003ecache.put()\u003c/code\u003e to first call \u003ccode\u003eshutil.rmtree()\u003c/code\u003e on the attacker-controlled escaped path, deleting an arbitrary directory.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully performs either the creation of \u003ccode\u003e.cache_meta.json\u003c/code\u003e at an arbitrary location (e.g., corrupting application configuration) or the deletion of an arbitrary directory on the system where PraisonAI is running.\u003c/li\u003e\n\u003cli\u003eThis leads to corruption of user configuration, project state, or application data, potentially resulting in denial of service or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability can lead to severe consequences for organizations utilizing PraisonAI. An attacker can create arbitrary files, specifically \u003ccode\u003e.cache_meta.json\u003c/code\u003e, in locations outside the application's intended cache, potentially overwriting critical configuration files or injecting malicious data. More critically, under a specific two-stage scenario, an attacker can trigger the deletion of arbitrary directories via \u003ccode\u003eshutil.rmtree()\u003c/code\u003e, leading to data destruction, corruption of user or project data, or even a complete denial of service by removing essential system directories. All PraisonAI versions from 2.6.0 up to 4.6.57 are affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch PraisonAI immediately when a fix is released for versions \u0026gt;= 2.6.0 and \u0026lt;= 4.6.57 as per GHSA-f44v-7qgw-9gh9.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect suspicious file write and deletion activities initiated by PraisonAI processes.\u003c/li\u003e\n\u003cli\u003eEnable detailed file creation and deletion logging (e.g., Sysmon Event ID 11 for file creation, Event ID 23 for file deletion on Windows; auditd on Linux) for Python processes to activate the detection rules.\u003c/li\u003e\n\u003cli\u003eIf PraisonAI is used in a critical environment, implement strict path validation within any custom \u003ccode\u003eTemplateCache\u003c/code\u003e or \u003ccode\u003eTemplateLoader\u003c/code\u003e implementations to reject absolute paths, \u003ccode\u003e.\u003c/code\u003e or \u003ccode\u003e..\u003c/code\u003e segments, or paths escaping the intended cache root, as suggested in GHSA-f44v-7qgw-9gh9.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:28:36Z","date_published":"2026-06-18T15:28:36Z","id":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-path-traversal/","summary":"PraisonAI's template loader is vulnerable to a path traversal flaw (GHSA-f44v-7qgw-9gh9) when processing GitHub template URIs, allowing an unauthenticated attacker to write arbitrary files or delete arbitrary directories on the system running PraisonAI, leading to corruption of user configuration, project state, or application data.","title":"PraisonAI GitHub template cache path traversal allows outside-cache file write and directory deletion","url":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Praisonai (\u003e= 2.6.0, \u003c= 4.6.57)","version":"https://jsonfeed.org/version/1.1"}