{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonai-npm-package--1.6.0--1.7.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonai (npm package) (\u003e= 1.6.0, \u003c= 1.7.1)"],"_cs_severities":["critical"],"_cs_tags":["api-abuse","unauthenticated-access","information-disclosure","server-side-request-forgery","web","node.js","npm"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003eThe npm \u003ccode\u003epraisonai\u003c/code\u003e package, specifically versions \u003ccode\u003e\u0026gt;= 1.6.0\u003c/code\u003e through \u003ccode\u003e1.7.1\u003c/code\u003e, contains a critical vulnerability in its TypeScript \u003ccode\u003eAgentOS\u003c/code\u003e HTTP server component. This server defaults to binding on \u003ccode\u003e0.0.0.0\u003c/code\u003e (all network interfaces) and fails to implement any authentication or authorization checks for sensitive API endpoints. Attackers who can reach a running \u003ccode\u003eAgentOS\u003c/code\u003e instance can unauthenticatedly enumerate agent names, roles, and partial instructions via \u003ccode\u003eGET /api/agents\u003c/code\u003e, and crucially, can invoke configured agents via \u003ccode\u003ePOST /api/chat\u003c/code\u003e. This directly contradicts PraisonAI's own security documentation regarding hardened API servers and exposes organizations using the affected versions to significant risks, including unauthorized data access, manipulation of systems through agent actions, and resource exhaustion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an internet-facing host running the \u003ccode\u003epraisonai\u003c/code\u003e \u003ccode\u003eAgentOS\u003c/code\u003e server (e.g., on default port 8000), which is listening on \u003ccode\u003e0.0.0.0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sends an unauthenticated \u003ccode\u003eGET\u003c/code\u003e request to \u003ccode\u003e/api/agents\u003c/code\u003e (or a configured \u003ccode\u003eapiPrefix\u003c/code\u003e) to enumerate active agent names, roles, and up to 100 characters of their instructions.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAgentOS\u003c/code\u003e server responds with sensitive metadata, such as an agent named \u0026quot;finance-admin\u0026quot; with instructions like \u0026quot;poc SECRET: refund-wire-tool may alter customer balances\u0026quot;.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious prompt or command based on the disclosed agent information and observed functionality.\u003c/li\u003e\n\u003cli\u003eAttacker sends an unauthenticated \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/chat\u003c/code\u003e (or \u003ccode\u003eapiPrefix/chat\u003c/code\u003e), containing the malicious input targeted at a selected agent.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAgentOS\u003c/code\u003e server invokes the target agent's \u003ccode\u003echat\u003c/code\u003e function with the attacker's input, triggering unauthorized actions within the agent's configured environment.\u003c/li\u003e\n\u003cli\u003eDepending on the agent's capabilities (e.g., access to tools, external APIs, credentials, file system), this leads to data exfiltration, system modification, or resource consumption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAn attacker successfully exploiting this vulnerability can cause severe damage. The primary impact is unauthorized access and control over configured PraisonAI agents. This can lead to the compromise of sensitive data through \u003ccode\u003eGET /api/agents\u003c/code\u003e revealing internal workflows and specific instructions, or more critically, through \u003ccode\u003ePOST /api/chat\u003c/code\u003e by inducing agents to exfiltrate data, interact with internal systems, or manipulate workflows. While the report does not claim arbitrary code execution by default, if agents are configured with access to tools (e.g., file system, shell execution, external APIs with credentials), unauthenticated invocation effectively becomes an entry point for those powerful capabilities, leading to potential complete system compromise or data destruction. All organizations deploying \u003ccode\u003epraisonai\u003c/code\u003e npm package versions \u003ccode\u003e\u0026gt;= 1.6.0, \u0026lt;= 1.7.1\u003c/code\u003e in an exposed manner are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM for webserver logs to detect unauthenticated access attempts to \u003ccode\u003e/api/agents\u003c/code\u003e and \u003ccode\u003e/api/chat\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnsure your network perimeter blocks unsolicited inbound connections to \u003ccode\u003epraisonai AgentOS\u003c/code\u003e instances running on \u003ccode\u003e0.0.0.0\u003c/code\u003e and default ports (e.g., 8000) from untrusted networks.\u003c/li\u003e\n\u003cli\u003ePrioritize updating the \u003ccode\u003epraisonai\u003c/code\u003e npm package to a fixed version once released; if an immediate patch is unavailable, implement custom authentication middleware for affected \u003ccode\u003eAgentOS\u003c/code\u003e instances.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for \u003ccode\u003eGET\u003c/code\u003e requests to \u003ccode\u003e/api/agents\u003c/code\u003e and \u003ccode\u003ePOST\u003c/code\u003e requests to \u003ccode\u003e/api/chat\u003c/code\u003e originating from unexpected source IPs or without expected authentication headers, as detected by the rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T14:48:13Z","date_published":"2026-06-18T14:48:13Z","id":"https://feed.craftedsignal.io/briefs/2026-06-npm-praisonai-unauthenticated-api/","summary":"The npm `praisonai` package's TypeScript `AgentOS` HTTP server defaults to `0.0.0.0` and exposes unauthenticated API endpoints (`/api/agents`, `/api/chat`), allowing attackers to disclose agent configurations and invoke agents without authorization, leading to potential data exfiltration, unauthorized actions, and resource consumption.","title":"npm PraisonAI AgentOS Unauthenticated API Exposure","url":"https://feed.craftedsignal.io/briefs/2026-06-npm-praisonai-unauthenticated-api/"}],"language":"en","title":"CraftedSignal Threat Feed - Praisonai (Npm Package) (\u003e= 1.6.0, \u003c= 1.7.1)","version":"https://jsonfeed.org/version/1.1"}