<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>PraisonAI Recipe Registry - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/praisonai-recipe-registry/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 04 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/praisonai-recipe-registry/feed.xml" rel="self" type="application/rss+xml"/><item><title>PraisonAI Recipe Registry Path Traversal Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-04-praisonai-path-traversal/</link><pubDate>Thu, 04 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-04-praisonai-path-traversal/</guid><description>A path traversal vulnerability exists in PraisonAI's recipe registry publish endpoint, allowing attackers to write files outside the registry root by manipulating the manifest file in a recipe bundle, despite eventual validation failure.</description><content:encoded><![CDATA[<p>PraisonAI's recipe registry is vulnerable to a path traversal issue (CVE-2026-39308) affecting versions up to and including 4.5.112. The vulnerability arises in the <code>publish</code> endpoint due to insufficient validation of the <code>name</code> and <code>version</code> fields within the <code>manifest.json</code> file of an uploaded recipe bundle. A malicious actor can inject <code>../</code> sequences into these fields, causing the registry server to write files to arbitrary locations outside the designated registry root. This occurs because the server creates the directory structure based on the manifest values before validating them against the URL parameters. Although the server eventually rejects the request with a HTTP 400 error if a mismatch is detected, the out-of-root artifact remains on the filesystem, posing a significant security risk. This allows for arbitrary file writes, potentially leading to integrity and availability issues.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious <code>.praison</code> recipe bundle.</li>
<li>The attacker modifies the <code>manifest.json</code> file within the bundle, injecting <code>../</code> sequences into the <code>name</code> field, for example setting <code>&quot;name&quot;: &quot;../../outside-dir&quot;</code>.</li>
<li>The attacker sends a <code>POST</code> request to the <code>/v1/recipes/{name}/{version}</code> endpoint, uploading the malicious bundle, seemingly targeting a safe location such as <code>/v1/recipes/safe/1.0.0</code>.</li>
<li>The <code>RegistryServer._handle_publish()</code> function parses the request and writes the uploaded <code>.praison</code> file to a temporary path.</li>
<li>The <code>LocalRegistry.publish()</code> function opens the tarball, reads the attacker-controlled <code>manifest.json</code>, and constructs a path based on the malicious <code>name</code> and <code>version</code> fields: <code>self.recipes_path / name / version</code>.</li>
<li>The server creates directories based on the manipulated path using <code>recipe_dir.mkdir(parents=True, exist_ok=True)</code>, effectively traversing out of the intended registry root.</li>
<li>The server copies the uploaded bundle to the out-of-root destination.</li>
<li>The server then validates the manifest values against the URL parameters. Because they don't match, the server attempts to delete the file but it still persists due to the path traversal. The server returns an HTTP 400 error, but the malicious file has already been written outside the registry root.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability allows for arbitrary file write operations outside the intended registry root, creating a high integrity risk. Successful exploitation can lead to the creation or overwriting of critical system files, potentially leading to denial-of-service or privilege escalation. While the provided PoC demonstrates a single file write, the ability to write to arbitrary locations significantly broadens the attack surface. Impacted parties include registry operators running the PraisonAI recipe registry service and any deployment that allows remote recipe publication. If adjacent writable locations contain sensitive application data or service files, the impact can be substantial.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>PraisonAI Recipe Registry Path Traversal Attempt</code> to detect attempts to exploit this vulnerability based on the creation of files with path traversal sequences in their names (file_event logs).</li>
<li>Upgrade to a patched version of PraisonAI that includes validation of <code>manifest.json</code> <code>name</code> and <code>version</code> fields prior to any filesystem write.</li>
<li>Monitor web server logs for HTTP 400 errors associated with recipe publish requests and investigate the associated uploaded files for path traversal attempts (webserver logs).</li>
<li>Implement input validation for recipe names and versions on the client-side to prevent users from creating recipes with malicious names.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>path-traversal</category><category>file-write</category><category>praisonai</category></item></channel></rss>