{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/yaml/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["praisonai","rce","yaml"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI is vulnerable to remote code execution via specially crafted YAML files. The vulnerability stems from the \u003ccode\u003epraisonai workflow run \u0026lt;file.yaml\u0026gt;\u003c/code\u003e command, which, when processing YAML files with \u003ccode\u003etype: job\u003c/code\u003e, executes steps through the \u003ccode\u003eJobWorkflowExecutor\u003c/code\u003e class in \u003ccode\u003ejob_workflow.py\u003c/code\u003e. This execution path supports shell command execution via \u003ccode\u003esubprocess.run()\u003c/code\u003e, inline Python execution via \u003ccode\u003eexec()\u003c/code\u003e, and arbitrary Python script execution. An attacker can leverage this to inject malicious code into a YAML file, such as \u003ccode\u003eexploit.yaml\u003c/code\u003e, to achieve arbitrary host command execution. Versions of \u003ccode\u003epip/praisonaiagents\u003c/code\u003e up to and including 1.5.139 and \u003ccode\u003epip/PraisonAI\u003c/code\u003e up to and including 4.5.138 are affected. This is especially critical in CI/CD environments or shared deployment contexts where untrusted YAML files may be processed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious YAML file (e.g., \u003ccode\u003eexploit.yaml\u003c/code\u003e) containing commands to be executed.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to a system where PraisonAI is installed and can execute the \u003ccode\u003epraisonai\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the command \u003ccode\u003epraisonai workflow run exploit.yaml\u003c/code\u003e, pointing to the malicious YAML file.\u003c/li\u003e\n\u003cli\u003ePraisonAI parses the YAML file and identifies the \u003ccode\u003etype: job\u003c/code\u003e directive.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eJobWorkflowExecutor\u003c/code\u003e class in \u003ccode\u003ejob_workflow.py\u003c/code\u003e is invoked to process the workflow steps.\u003c/li\u003e\n\u003cli\u003eWithin the workflow steps, commands specified using \u003ccode\u003erun:\u003c/code\u003e, \u003ccode\u003escript:\u003c/code\u003e, or \u003ccode\u003epython:\u003c/code\u003e directives are executed. Specifically, \u003ccode\u003e_exec_shell()\u003c/code\u003e executes shell commands, \u003ccode\u003e_exec_inline_python()\u003c/code\u003e executes inline Python, and \u003ccode\u003e_exec_python_script()\u003c/code\u003e executes Python scripts.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, performing actions such as writing files (e.g., \u003ccode\u003epwned.txt\u003c/code\u003e) or executing arbitrary system commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the host system, leading to potential system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows a remote or local attacker to execute arbitrary host commands and code. This can lead to full system compromise, including data theft, modification, or destruction. In CI/CD or shared deployment contexts, this could impact multiple systems or applications. The reporter marked this as a critical severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003epip/praisonaiagents\u003c/code\u003e and \u003ccode\u003epip/PraisonAI\u003c/code\u003e to versions greater than 1.5.139 and 4.5.138, respectively, to patch the vulnerability as stated in the overview.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for all YAML files processed by PraisonAI, paying close attention to the \u003ccode\u003etype: job\u003c/code\u003e directive to prevent execution of arbitrary commands and code.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI Workflow Execution with Suspicious YAML\u0026rdquo; to your SIEM to detect potential exploitation attempts, based on log source \u003ccode\u003eprocess_creation\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T19:32:48Z","date_published":"2026-04-10T19:32:48Z","id":"/briefs/2024-01-03-praisonai-rce/","summary":"PraisonAI is vulnerable to remote code execution; loading untrusted YAML files with `type: job` can lead to arbitrary host command execution, potentially enabling full system compromise.","title":"PraisonAI Remote Code Execution via Malicious Workflow YAML","url":"https://feed.craftedsignal.io/briefs/2024-01-03-praisonai-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Yaml","version":"https://jsonfeed.org/version/1.1"}