Attack Chain

1. An attacker crafts a malicious YAML file (e.g., exploit.yaml) containing commands to be executed.
2. The attacker gains access to a system where PraisonAI is installed and can execute the praisonai command.
3. The attacker executes the command praisonai workflow run exploit.yaml, pointing to the malicious YAML file.
4. PraisonAI parses the YAML file and identifies the type: job directive.
5. The JobWorkflowExecutor class in job_workflow.py is invoked to process the workflow steps.
6. Within the workflow steps, commands specified using run:, script:, or python: directives are executed. Specifically, _exec_shell() executes shell commands, _exec_inline_python() executes inline Python, and _exec_python_script() executes Python scripts.
7. The malicious code executes, performing actions such as writing files (e.g., pwned.txt) or executing arbitrary system commands.
8. The attacker achieves arbitrary code execution on the host system, leading to potential system compromise.

Impact

Successful exploitation allows a remote or local attacker to execute arbitrary host commands and code. This can lead to full system compromise, including data theft, modification, or destruction. In CI/CD or shared deployment contexts, this could impact multiple systems or applications. The reporter marked this as a critical severity vulnerability.

Recommendation

• Upgrade pip/praisonaiagents and pip/PraisonAI to versions greater than 1.5.139 and 4.5.138, respectively, to patch the vulnerability as stated in the overview.
• Implement strict input validation and sanitization for all YAML files processed by PraisonAI, paying close attention to the type: job directive to prevent execution of arbitrary commands and code.
• Deploy the Sigma rule “Detect PraisonAI Workflow Execution with Suspicious YAML” to your SIEM to detect potential exploitation attempts, based on log source process_creation.