GHSA-22CJ-M4WF-FV2C
Vulnerability from github – Published: 2026-06-18 13:52 – Updated: 2026-06-18 13:52PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal
Summary
PraisonAI's Dynamic Context module provides filesystem-backed history and terminal-log storage. The SDK reference describes the module as providing:
- artifact storage for tool outputs, history, and terminal logs;
- history persistence with search; and
- terminal session logging.
The module also exports agent-callable tool factories:
create_history_tools()returnshistory_search,history_tail, andhistory_get.create_terminal_tools()returnsterminal_tail,terminal_grep, andterminal_commands.
Those tools accept run_id and agent_id arguments from the tool caller. The
underlying stores join those values into filesystem paths without rejecting
absolute paths or .. traversal:
history_dir = self.base_dir / run_id / "history"
return history_dir / f"{agent_id}.jsonl"
terminal_dir = self.base_dir / run_id / "terminal"
return terminal_dir / f"{agent_id}.log"
Because run_id can be an absolute path and agent_id can contain traversal,
a lower-trust prompt/user that can call these tools can read .jsonl and
.log files outside the configured Dynamic Context base directory.
Affected Product
- Repository:
MervinPraison/PraisonAI - Ecosystem:
pip - Package:
praisonai - Component: Dynamic Context history and terminal tools
- Current source paths:
src/praisonai/praisonai/context/history_store.pysrc/praisonai/praisonai/context/terminal_logger.py- Latest PyPI version validated:
4.6.58 - Current
origin/mainvalidated:1ad58ca02975ff1398efeda694ea2ab78f20cf3e - Current
origin/maintag validated:v4.6.58
Suggested affected range:
pip:praisonai >= 3.8.1, <= 4.6.58
Representative local sweep:
3.8.1: vulnerable4.0.0: vulnerable4.5.113: vulnerable4.6.33: vulnerable4.6.34: vulnerable4.6.40: vulnerable4.6.50: vulnerable4.6.58: vulnerable
Root Cause
HistoryStore._get_history_path() and TerminalLogger._get_log_path() treat
logical identifiers as path segments, but never validate that the resolved path
stays under base_dir.
History path construction:
def _get_history_path(self, run_id: str, agent_id: str) -> Path:
history_dir = self.base_dir / run_id / "history"
history_dir.mkdir(parents=True, exist_ok=True)
return history_dir / f"{agent_id}.jsonl"
Terminal path construction:
def _get_log_path(self, run_id: str, agent_id: str) -> Path:
terminal_dir = self.base_dir / run_id / "terminal"
terminal_dir.mkdir(parents=True, exist_ok=True)
return terminal_dir / f"{agent_id}.log"
The agent tools pass caller-controlled run_id and agent_id directly into
these helpers:
def history_tail(agent_id: str = "default", run_id: str = "default", count: int = 10) -> str:
messages = history_store.get_last_messages(agent_id=agent_id, run_id=run_id, count=count)
def terminal_tail(agent_id: str = "default", run_id: str = "default", lines: int = 50) -> str:
return term_logger.tail_session(agent_id=agent_id, run_id=run_id, lines=lines)
There is no check equivalent to:
resolved = candidate.resolve()
base = self.base_dir.resolve()
resolved.relative_to(base)
There is also no identifier allowlist preventing /, \, or .. in
run_id or agent_id.
Local PoV
Run against the latest PyPI package:
uv run --with 'praisonai==4.6.58' \
python poc/pov_prai_cand_027_history_terminal_tools_path_traversal.py --json
The PoV:
- Creates a temporary Dynamic Context base directory.
- Creates a separate outside directory containing
secret.jsonlandsecret.log. - Creates legitimate in-base history and terminal log controls.
- Calls
history_tail()andhistory_get()withrun_id=<outside-dir>andagent_id=../secret. - Calls
terminal_tail()andterminal_grep()with the same traversal. - Confirms the traversal paths resolve to files outside the configured base.
Observed output summary from evidence/pov-pypi-4.6.58.json:
{
"package": "praisonai",
"package_version": "4.6.58",
"controls": {
"valid_history_read_works": true,
"valid_terminal_read_works": true,
"outside_history_file_outside_base_dir": true,
"outside_terminal_file_outside_base_dir": true,
"traversal_history_path_resolves_to_outside_file": true,
"traversal_terminal_path_resolves_to_outside_file": true
},
"outside_history_tail": "Last 1 messages:\\n\\n[system]: PRAI-CAND-027-HISTORY-SECRET",
"outside_terminal_tail": "PRAI-CAND-027-TERMINAL-SECRET\\nsecond line\\n",
"outside_terminal_grep": "Found 1 matches:\\n\\n--- Line 1 ---\\n> PRAI-CAND-027-TERMINAL-SECRET\\n second line",
"vulnerable": true
}
The PoV is local-only. It does not start a server, contact a third-party target, or use real credentials.
Why This Is Not Intended Behavior
This report does not claim that history and terminal helpers should be unable
to read legitimate history or terminal logs. The issue is narrower: logical
run_id and agent_id values can escape the configured Dynamic Context base
directory.
The controls show the intended boundary:
- legitimate in-base history remains readable;
- legitimate in-base terminal logs remain readable;
- the outside
.jsonland.logfiles are not under the configuredbase_dir; and - the tools still disclose those outside files through traversal identifiers.
The official context reference describes history persistence and terminal logging as filesystem-backed Dynamic Context features. The context security documentation also treats absolute paths, path traversal, and sensitive files as privacy/security risks. Reading files outside the configured context store conflicts with that documented boundary.
Impact
If a PraisonAI application exposes these Dynamic Context tools to untrusted or lower-trust prompts, the lower-trust caller can read files outside the configured context storage when the target file can be reached with the tool-imposed suffix:
history_*tools can disclose reachable.jsonlfiles;terminal_*tools can disclose reachable.logfiles; and- cross-run or cross-agent context/history/logs can be disclosed if their path is known or guessable.
This can expose conversation history, prompts, terminal output, command logs, tokens, API keys, cloud credentials, operational data, or other secrets stored in JSONL/log files readable by the PraisonAI process.
The impact is confidentiality-only in the tested surface. Integrity and availability are not claimed for this report.
Severity
Suggested severity: High.
Rationale:
AV: applies when an application exposes an agent with these tools over a network chat/API surface.AC: the traversal needs only chosenrun_idandagent_idvalues.PR: an unauthenticated or public-facing agent endpoint can be exploited without an account. Deployments that require authenticated chat/API access may score this asPR:L.UI: the attacker directly supplies the prompt/tool argument to the exposed agent surface.C: conversation history and terminal logs can contain secrets and private operational data.I:N/A: this report demonstrates read-only disclosure.
Remediation
Treat run_id and agent_id as logical identifiers, not path components.
Recommended fixes:
- Reject absolute paths, path separators, and traversal components in
run_idandagent_id. - Build candidate paths, call
.resolve(), and reject any path that is not underself.base_dir.resolve(). - Apply the same containment helper to history append/read/search/clear/export and terminal log/read/search/clear/export paths.
- Prefer opaque server-generated run and agent IDs in tool schemas.
- Add regression tests for absolute
run_id,../inrun_id, and../inagent_idfor history and terminal tool factories.
Minimal containment shape:
def _safe_child(self, *parts: str) -> Path:
candidate = self.base_dir.joinpath(*parts).resolve()
base = self.base_dir.resolve()
try:
candidate.relative_to(base)
except ValueError as exc:
raise PermissionError("Context path is outside configured base_dir") from exc
return candidate
Pair this with an identifier allowlist, because run_id and agent_id should
not need filesystem syntax.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.6.58"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "3.8.1"
},
{
"fixed": "4.6.59"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T13:52:32Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal\n\n## Summary\n\nPraisonAI\u0027s Dynamic Context module provides filesystem-backed history and\nterminal-log storage. The SDK reference describes the module as providing:\n\n- artifact storage for tool outputs, history, and terminal logs;\n- history persistence with search; and\n- terminal session logging.\n\nThe module also exports agent-callable tool factories:\n\n- `create_history_tools()` returns `history_search`, `history_tail`, and\n `history_get`.\n- `create_terminal_tools()` returns `terminal_tail`, `terminal_grep`, and\n `terminal_commands`.\n\nThose tools accept `run_id` and `agent_id` arguments from the tool caller. The\nunderlying stores join those values into filesystem paths without rejecting\nabsolute paths or `..` traversal:\n\n```python\nhistory_dir = self.base_dir / run_id / \"history\"\nreturn history_dir / f\"{agent_id}.jsonl\"\n```\n\n```python\nterminal_dir = self.base_dir / run_id / \"terminal\"\nreturn terminal_dir / f\"{agent_id}.log\"\n```\n\nBecause `run_id` can be an absolute path and `agent_id` can contain traversal,\na lower-trust prompt/user that can call these tools can read `.jsonl` and\n`.log` files outside the configured Dynamic Context base directory.\n\n## Affected Product\n\n- Repository: `MervinPraison/PraisonAI`\n- Ecosystem: `pip`\n- Package: `praisonai`\n- Component: Dynamic Context history and terminal tools\n- Current source paths:\n - `src/praisonai/praisonai/context/history_store.py`\n - `src/praisonai/praisonai/context/terminal_logger.py`\n- Latest PyPI version validated: `4.6.58`\n- Current `origin/main` validated:\n `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n- Current `origin/main` tag validated: `v4.6.58`\n\nSuggested affected range:\n\n```text\npip:praisonai \u003e= 3.8.1, \u003c= 4.6.58\n```\n\nRepresentative local sweep:\n\n- `3.8.1`: vulnerable\n- `4.0.0`: vulnerable\n- `4.5.113`: vulnerable\n- `4.6.33`: vulnerable\n- `4.6.34`: vulnerable\n- `4.6.40`: vulnerable\n- `4.6.50`: vulnerable\n- `4.6.58`: vulnerable\n\n## Root Cause\n\n`HistoryStore._get_history_path()` and `TerminalLogger._get_log_path()` treat\nlogical identifiers as path segments, but never validate that the resolved path\nstays under `base_dir`.\n\nHistory path construction:\n\n```python\ndef _get_history_path(self, run_id: str, agent_id: str) -\u003e Path:\n history_dir = self.base_dir / run_id / \"history\"\n history_dir.mkdir(parents=True, exist_ok=True)\n return history_dir / f\"{agent_id}.jsonl\"\n```\n\nTerminal path construction:\n\n```python\ndef _get_log_path(self, run_id: str, agent_id: str) -\u003e Path:\n terminal_dir = self.base_dir / run_id / \"terminal\"\n terminal_dir.mkdir(parents=True, exist_ok=True)\n return terminal_dir / f\"{agent_id}.log\"\n```\n\nThe agent tools pass caller-controlled `run_id` and `agent_id` directly into\nthese helpers:\n\n```python\ndef history_tail(agent_id: str = \"default\", run_id: str = \"default\", count: int = 10) -\u003e str:\n messages = history_store.get_last_messages(agent_id=agent_id, run_id=run_id, count=count)\n```\n\n```python\ndef terminal_tail(agent_id: str = \"default\", run_id: str = \"default\", lines: int = 50) -\u003e str:\n return term_logger.tail_session(agent_id=agent_id, run_id=run_id, lines=lines)\n```\n\nThere is no check equivalent to:\n\n```python\nresolved = candidate.resolve()\nbase = self.base_dir.resolve()\nresolved.relative_to(base)\n```\n\nThere is also no identifier allowlist preventing `/`, `\\`, or `..` in\n`run_id` or `agent_id`.\n\n## Local PoV\n\nRun against the latest PyPI package:\n\n```bash\nuv run --with \u0027praisonai==4.6.58\u0027 \\\n python poc/pov_prai_cand_027_history_terminal_tools_path_traversal.py --json\n```\n\nThe PoV:\n\n1. Creates a temporary Dynamic Context base directory.\n2. Creates a separate outside directory containing `secret.jsonl` and\n `secret.log`.\n3. Creates legitimate in-base history and terminal log controls.\n4. Calls `history_tail()` and `history_get()` with\n `run_id=\u003coutside-dir\u003e` and `agent_id=../secret`.\n5. Calls `terminal_tail()` and `terminal_grep()` with the same traversal.\n6. Confirms the traversal paths resolve to files outside the configured base.\n\nObserved output summary from `evidence/pov-pypi-4.6.58.json`:\n\n```json\n{\n \"package\": \"praisonai\",\n \"package_version\": \"4.6.58\",\n \"controls\": {\n \"valid_history_read_works\": true,\n \"valid_terminal_read_works\": true,\n \"outside_history_file_outside_base_dir\": true,\n \"outside_terminal_file_outside_base_dir\": true,\n \"traversal_history_path_resolves_to_outside_file\": true,\n \"traversal_terminal_path_resolves_to_outside_file\": true\n },\n \"outside_history_tail\": \"Last 1 messages:\\\\n\\\\n[system]: PRAI-CAND-027-HISTORY-SECRET\",\n \"outside_terminal_tail\": \"PRAI-CAND-027-TERMINAL-SECRET\\\\nsecond line\\\\n\",\n \"outside_terminal_grep\": \"Found 1 matches:\\\\n\\\\n--- Line 1 ---\\\\n\u003e PRAI-CAND-027-TERMINAL-SECRET\\\\n second line\",\n \"vulnerable\": true\n}\n```\n\nThe PoV is local-only. It does not start a server, contact a third-party\ntarget, or use real credentials.\n\n## Why This Is Not Intended Behavior\n\nThis report does not claim that history and terminal helpers should be unable\nto read legitimate history or terminal logs. The issue is narrower: logical\n`run_id` and `agent_id` values can escape the configured Dynamic Context base\ndirectory.\n\nThe controls show the intended boundary:\n\n- legitimate in-base history remains readable;\n- legitimate in-base terminal logs remain readable;\n- the outside `.jsonl` and `.log` files are not under the configured\n `base_dir`; and\n- the tools still disclose those outside files through traversal identifiers.\n\nThe official context reference describes history persistence and terminal\nlogging as filesystem-backed Dynamic Context features. The context security\ndocumentation also treats absolute paths, path traversal, and sensitive files\nas privacy/security risks. Reading files outside the configured context store\nconflicts with that documented boundary.\n\n## Impact\n\nIf a PraisonAI application exposes these Dynamic Context tools to untrusted or\nlower-trust prompts, the lower-trust caller can read files outside the\nconfigured context storage when the target file can be reached with the\ntool-imposed suffix:\n\n- `history_*` tools can disclose reachable `.jsonl` files;\n- `terminal_*` tools can disclose reachable `.log` files; and\n- cross-run or cross-agent context/history/logs can be disclosed if their path\n is known or guessable.\n\nThis can expose conversation history, prompts, terminal output, command logs,\ntokens, API keys, cloud credentials, operational data, or other secrets stored\nin JSONL/log files readable by the PraisonAI process.\n\nThe impact is confidentiality-only in the tested surface. Integrity and\navailability are not claimed for this report.\n\n## Severity\n\nSuggested severity: High.\n\nRationale:\n\n- `AV`: applies when an application exposes an agent with these tools over a\n network chat/API surface.\n- `AC`: the traversal needs only chosen `run_id` and `agent_id` values.\n- `PR`: an unauthenticated or public-facing agent endpoint can be exploited\n without an account. Deployments that require authenticated chat/API access\n may score this as `PR:L`.\n- `UI`: the attacker directly supplies the prompt/tool argument to the\n exposed agent surface.\n- `C`: conversation history and terminal logs can contain secrets and private\n operational data.\n- `I:N/A`: this report demonstrates read-only disclosure.\n\n## Remediation\n\nTreat `run_id` and `agent_id` as logical identifiers, not path components.\n\nRecommended fixes:\n\n1. Reject absolute paths, path separators, and traversal components in\n `run_id` and `agent_id`.\n2. Build candidate paths, call `.resolve()`, and reject any path that is not\n under `self.base_dir.resolve()`.\n3. Apply the same containment helper to history append/read/search/clear/export\n and terminal log/read/search/clear/export paths.\n4. Prefer opaque server-generated run and agent IDs in tool schemas.\n5. Add regression tests for absolute `run_id`, `../` in `run_id`, and `../` in\n `agent_id` for history and terminal tool factories.\n\nMinimal containment shape:\n\n```python\ndef _safe_child(self, *parts: str) -\u003e Path:\n candidate = self.base_dir.joinpath(*parts).resolve()\n base = self.base_dir.resolve()\n try:\n candidate.relative_to(base)\n except ValueError as exc:\n raise PermissionError(\"Context path is outside configured base_dir\") from exc\n return candidate\n```\n\nPair this with an identifier allowlist, because `run_id` and `agent_id` should\nnot need filesystem syntax.",
"id": "GHSA-22cj-m4wf-fv2c",
"modified": "2026-06-18T13:52:32Z",
"published": "2026-06-18T13:52:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-22cj-m4wf-fv2c"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.