Attack Chain

1. An attacker poisons the context of an LLM connected to a PraisonAI MCP server through attacker-controlled web content, documents, or emails.
2. The user interacts with the LLM, asking it to summarize or analyze the poisoned content, which contains a crafted command.
3. The LLM, under prompt injection, crafts a tools/call request to the MCP server, targeting praisonai.rules.create with a malicious rule_name.
4. The crafted rule_name includes path traversal sequences (e.g., ../../) to write a file outside the intended rules directory.
5. The MCP server’s rules.create handler, lacking containment checks, writes the file to a location such as the user’s site-packages directory (e.g., ~/.local/lib/python3.14/site-packages/evil.pth).
6. The written file is a Python .pth file containing an import os; os.system("malicious_command") statement.
7. The next time the user starts a Python interpreter (including the praisonai CLI), the .pth file is processed, executing the attacker’s arbitrary code.
8. The attacker achieves arbitrary code execution with the user’s privileges, potentially leading to data exfiltration, system compromise, or lateral movement.

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution on the victim’s machine. This can lead to data exfiltration, installation of malware, or further compromise of the system. The vulnerability affects any user running a PraisonAI MCP server connected to an LLM without proper input validation, and the default configuration of the HTTP-stream transport exposes the server to local attacks without requiring authentication. The impact is significant as it can compromise the user’s entire system and any data accessible to the user account.

Recommendation

• Apply input validation and containment to all file-handling tools. Specifically, implement checks to prevent path traversal in praisonai.rules.create, praisonai.rules.show, and praisonai.rules.delete as detailed in the “Suggested fix” section of the advisory.
• Enforce schema validation in the MCP dispatcher to ensure that params["arguments"] conforms to the expected schema, rejecting unknown properties and type mismatches.
• Restrict the workflow.show tool to only accept paths within a designated workflow directory and reject absolute paths or any value containing .., as outlined in the “Suggested fix” section.
• Deploy the Sigma rules provided in this brief to detect potential exploitation attempts and tune them for your environment.
• Require authentication on non-loopback HTTP-stream binds to prevent unauthorized access to the MCP server when using praisonai mcp serve --transport http-stream.