{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonai-recipe-registry/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI Recipe Registry"],"_cs_severities":["high"],"_cs_tags":["path-traversal","file-write","praisonai"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI's recipe registry is vulnerable to a path traversal issue (CVE-2026-39308) affecting versions up to and including 4.5.112. The vulnerability arises in the \u003ccode\u003epublish\u003c/code\u003e endpoint due to insufficient validation of the \u003ccode\u003ename\u003c/code\u003e and \u003ccode\u003eversion\u003c/code\u003e fields within the \u003ccode\u003emanifest.json\u003c/code\u003e file of an uploaded recipe bundle. A malicious actor can inject \u003ccode\u003e../\u003c/code\u003e sequences into these fields, causing the registry server to write files to arbitrary locations outside the designated registry root. This occurs because the server creates the directory structure based on the manifest values before validating them against the URL parameters. Although the server eventually rejects the request with a HTTP 400 error if a mismatch is detected, the out-of-root artifact remains on the filesystem, posing a significant security risk. This allows for arbitrary file writes, potentially leading to integrity and availability issues.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003e.praison\u003c/code\u003e recipe bundle.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003emanifest.json\u003c/code\u003e file within the bundle, injecting \u003ccode\u003e../\u003c/code\u003e sequences into the \u003ccode\u003ename\u003c/code\u003e field, for example setting \u003ccode\u003e\u0026quot;name\u0026quot;: \u0026quot;../../outside-dir\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/v1/recipes/{name}/{version}\u003c/code\u003e endpoint, uploading the malicious bundle, seemingly targeting a safe location such as \u003ccode\u003e/v1/recipes/safe/1.0.0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eRegistryServer._handle_publish()\u003c/code\u003e function parses the request and writes the uploaded \u003ccode\u003e.praison\u003c/code\u003e file to a temporary path.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eLocalRegistry.publish()\u003c/code\u003e function opens the tarball, reads the attacker-controlled \u003ccode\u003emanifest.json\u003c/code\u003e, and constructs a path based on the malicious \u003ccode\u003ename\u003c/code\u003e and \u003ccode\u003eversion\u003c/code\u003e fields: \u003ccode\u003eself.recipes_path / name / version\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server creates directories based on the manipulated path using \u003ccode\u003erecipe_dir.mkdir(parents=True, exist_ok=True)\u003c/code\u003e, effectively traversing out of the intended registry root.\u003c/li\u003e\n\u003cli\u003eThe server copies the uploaded bundle to the out-of-root destination.\u003c/li\u003e\n\u003cli\u003eThe server then validates the manifest values against the URL parameters. Because they don't match, the server attempts to delete the file but it still persists due to the path traversal. The server returns an HTTP 400 error, but the malicious file has already been written outside the registry root.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for arbitrary file write operations outside the intended registry root, creating a high integrity risk. Successful exploitation can lead to the creation or overwriting of critical system files, potentially leading to denial-of-service or privilege escalation. While the provided PoC demonstrates a single file write, the ability to write to arbitrary locations significantly broadens the attack surface. Impacted parties include registry operators running the PraisonAI recipe registry service and any deployment that allows remote recipe publication. If adjacent writable locations contain sensitive application data or service files, the impact can be substantial.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePraisonAI Recipe Registry Path Traversal Attempt\u003c/code\u003e to detect attempts to exploit this vulnerability based on the creation of files with path traversal sequences in their names (file_event logs).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of PraisonAI that includes validation of \u003ccode\u003emanifest.json\u003c/code\u003e \u003ccode\u003ename\u003c/code\u003e and \u003ccode\u003eversion\u003c/code\u003e fields prior to any filesystem write.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP 400 errors associated with recipe publish requests and investigate the associated uploaded files for path traversal attempts (webserver logs).\u003c/li\u003e\n\u003cli\u003eImplement input validation for recipe names and versions on the client-side to prevent users from creating recipes with malicious names.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-04-praisonai-path-traversal/","summary":"A path traversal vulnerability exists in PraisonAI's recipe registry publish endpoint, allowing attackers to write files outside the registry root by manipulating the manifest file in a recipe bundle, despite eventual validation failure.","title":"PraisonAI Recipe Registry Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-04-praisonai-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - PraisonAI Recipe Registry","version":"https://jsonfeed.org/version/1.1"}