GHSA-VJV9-7M7J-H833
Vulnerability from github – Published: 2026-06-18 14:26 – Updated: 2026-06-18 14:26Summary
The published npm package praisonai exports SandboxExecutor, CommandValidator, and sandboxExec as "safe command execution with restrictions." When allowedCommands is configured, CommandValidator checks only the first whitespace-delimited token of the command string. SandboxExecutor then passes the entire original string to spawn("sh", ["-c", command]).
With a policy that allows only echo, this direct command is correctly rejected:
cat /tmp/marker
but this chained command is accepted and executed:
echo allowed; cat /tmp/marker
The shell executes cat even though cat is not allowlisted. This bypasses the command allowlist and can execute arbitrary shell commands with the PraisonAI process privileges when an application, CLI workflow, or agent pipeline exposes sandbox command execution to lower-trust users, prompts, or model output.
The PoV is deterministic and local-only. It creates and reads only a temporary marker file.
Technical Details
In src/praisonai-ts/src/cli/features/sandbox-executor.ts, CommandValidator.validate() normalizes the command and authorizes only the first whitespace token:
const normalized = command.toLowerCase().trim();
if (this.allowedCommands) {
const baseCmd = normalized.split(/\s+/)[0];
if (!this.allowedCommands.includes(baseCmd)) {
return { valid: false, reason: `Command '${baseCmd}' not in allowlist` };
}
}
The denylist does not generally reject shell separators. It blocks a few specific patterns such as ; rm, but not ; cat, &&, ||, backticks, $(), or newline as a general policy boundary.
SandboxExecutor.spawn() then executes the unmodified command string through a shell:
const proc = spawn('sh', ['-c', command], {
cwd: this.config.cwd,
env,
timeout: this.config.timeout,
stdio: ['pipe', 'pipe', 'pipe']
});
That creates a mismatch: the allowlist authorizes one command token, but the shell interprets the whole string as a script.
The published npm:praisonai@1.7.1 dist files preserve the same behavior:
dist/cli/features/sandbox-executor.jschecks onlybaseCmd.dist/cli/features/sandbox-executor.jslater invokesspawn("sh", ["-c", command]).dist/index.jsexportsSandboxExecutor,CommandValidator, andsandboxExec.
Why This Is Not Intended Behavior
PraisonAI's sandbox docs describe sandbox execution as a security feature for AI-generated commands, with command validation, resource limits, path restrictions, network isolation, and execution isolation. The TypeScript source also describes this component as "Safe command execution with restrictions."
With allowedCommands: ["echo"], PraisonAI correctly rejects cat <marker> when submitted directly. That proves the intended policy is to block non-allowlisted executables. The same policy allowing echo allowed; cat <marker> is therefore an authorization bypass, not merely a permissive configuration.
PoV
Run from a local reproduction checkout:
node poc/pov_poc.js 1.7.1
Expected output includes:
{
"version": "1.7.1",
"package": "npm:praisonai",
"allowedCommands": ["echo"],
"controls": {
"directCatRejected": true,
"benignEchoAllowed": true,
"patchedControlRejectsChainedShell": true
},
"observed": {
"directPolicy": {
"allowed": false,
"reason": "Command 'cat' not in allowlist"
},
"benignPolicy": {
"allowed": true
},
"chainedPolicy": {
"allowed": true
},
"chainedRun": {
"success": true,
"stdout": "allowed\npoc.7.1",
"stderr": "",
"exitCode": 0
},
"patchedControl": {
"benign": {
"allowed": true
},
"direct": {
"allowed": false,
"reason": "Command 'cat' not in allowlist"
},
"chained": {
"allowed": false,
"reason": "shell metacharacter rejected before execution"
}
}
},
"vulnerable": true
}
Interpretation:
- Direct
cat <marker>is rejected by the allowlist. - Benign
echo allowedis accepted. echo allowed; cat <marker>is accepted by the same allowlist and executes the non-allowlistedcat.- A patched-control validator that rejects shell metacharacters before execution blocks the chained command while still allowing benign
echo.
The PoV installs npm:praisonai@1.7.1 into a temporary project, creates a temporary marker file, and reads only that file. It does not contact any live service or execute destructive commands.
PoC
The PoV section above contains the local reproduction command, input, and decisive output.
Impact
If lower-trust users, prompts, or model output can influence a command string sent to SandboxExecutor or sandboxExec, allowedCommands does not enforce the intended command boundary. An attacker can append arbitrary shell commands after an allowed first token and run them with the privileges of the PraisonAI process.
Concrete consequences depend on the hosting application and configured process privileges, but can include reading or modifying files, invoking local tools, using available credentials, or causing denial of service.
This report does not claim that npm PraisonAI exposes this as a default network service. It is a library-level sandbox/allowlist bypass in an exported TypeScript API that is explicitly designed for safe command execution.
Severity
Suggested severity: High.
Rationale:
AV: common deployment pattern is an application exposing agent prompts or command automation over a network.AC: attacker only needs to induce or submit a command string that starts with an allowed command.PR: conservative base score assumes the attacker can submit prompts or command requests to the application.UI: no operator action is needed once the command reaches the executor.S: impact is in the PraisonAI-hosting process.C/I/A: arbitrary shell commands can affect confidentiality, integrity, and availability depending on process privileges.
If maintainers score only local CLI use, AV:L may be reasonable. If they score public unauthenticated prompt or command endpoints built on this API, PR:N may be reasonable.
Suggested Fix
Avoid passing policy-checked user strings to a shell.
Recommended:
- Require callers to pass
{ command, args }, or parse command strings into argv with a shell-aware parser. - Execute with
spawn(command, args, { shell: false })/execFile()instead ofsh -c. - Apply
allowedCommandsto the exact executable after normalization. - Reject shell metacharacters (
;,&&,||,|, backticks,$(), newline, redirects) when a shell string API must be kept for compatibility. - Add regression tests proving
allowedCommands: ["echo"]allowsecho okbut rejectscat marker,echo ok; cat marker,echo ok && cat marker, andecho ok | cat marker.
Affected Package/Versions
- Repository:
MervinPraison/PraisonAI - Package:
npm:praisonai - Component: TypeScript CLI feature
SandboxExecutor - Current head validated:
1ad58ca02975ff1398efeda694ea2ab78f20cf3e - Current tag validated:
v4.6.58 - Latest npm package validated:
1.7.1
Suggested affected range:
npm:praisonai >= 1.2.3, <= 1.7.1
Selected version sweep:
1.0.0: package main cannot be required in the selected test environment.1.2.0,1.2.1,1.2.2:SandboxExecutoris not exported.1.2.3: vulnerable.1.2.4: vulnerable.1.3.0: vulnerable.1.3.6: vulnerable.1.4.0: vulnerable.1.5.0: vulnerable.1.5.4: vulnerable.1.6.0: vulnerable.1.7.0: vulnerable.1.7.1: vulnerable.
Advisory History
This is distinct from known and previously submitted PraisonAI issues:
GHSA-r4f2-3m54-pp7qcovers PyPISubprocessSandboxshell=Trueand blocklist bypass.GHSA-2763-cj5r-c79mcovers PyPIpraisonaiOS command injection.GHSA-v7px-3835-7gjxcovers PyPImemory/hooks.pyshell injection.GHSA-4wr3-f4p3-5wjhcovers Python agent tool approval allow-list manipulation.GHSA-4mr5-g6f9-cfrhcovers PyPI/Pythonexecute_codesandbox escape.GHSA-9qhq-v63v-fv3jcovers an incomplete fix for a Python command injection.GHSA-vmmj-pfw7-fjwpcovers npmcodeModehost-processnew Functionsandbox escape.
No visible local or GitHub advisory covers npm TypeScript SandboxExecutor, CommandValidator, allowedCommands, or the first-token allowlist followed by sh -c shell-chaining root cause.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.7.1"
},
"package": {
"ecosystem": "npm",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.3"
},
{
"fixed": "1.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-693",
"CWE-78",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:26:34Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nThe published npm package `praisonai` exports `SandboxExecutor`, `CommandValidator`, and `sandboxExec` as \"safe command execution with restrictions.\" When `allowedCommands` is configured, `CommandValidator` checks only the first whitespace-delimited token of the command string. `SandboxExecutor` then passes the entire original string to `spawn(\"sh\", [\"-c\", command])`.\n\nWith a policy that allows only `echo`, this direct command is correctly rejected:\n\n```sh\ncat /tmp/marker\n```\n\nbut this chained command is accepted and executed:\n\n```sh\necho allowed; cat /tmp/marker\n```\n\nThe shell executes `cat` even though `cat` is not allowlisted. This bypasses the command allowlist and can execute arbitrary shell commands with the PraisonAI process privileges when an application, CLI workflow, or agent pipeline exposes sandbox command execution to lower-trust users, prompts, or model output.\n\nThe PoV is deterministic and local-only. It creates and reads only a temporary marker file.\n\n## Technical Details\n\nIn `src/praisonai-ts/src/cli/features/sandbox-executor.ts`, `CommandValidator.validate()` normalizes the command and authorizes only the first whitespace token:\n\n```ts\nconst normalized = command.toLowerCase().trim();\n\nif (this.allowedCommands) {\n const baseCmd = normalized.split(/\\s+/)[0];\n if (!this.allowedCommands.includes(baseCmd)) {\n return { valid: false, reason: `Command \u0027${baseCmd}\u0027 not in allowlist` };\n }\n}\n```\n\nThe denylist does not generally reject shell separators. It blocks a few specific patterns such as `; rm`, but not `; cat`, `\u0026\u0026`, `||`, backticks, `$()`, or newline as a general policy boundary.\n\n`SandboxExecutor.spawn()` then executes the unmodified command string through a shell:\n\n```ts\nconst proc = spawn(\u0027sh\u0027, [\u0027-c\u0027, command], {\n cwd: this.config.cwd,\n env,\n timeout: this.config.timeout,\n stdio: [\u0027pipe\u0027, \u0027pipe\u0027, \u0027pipe\u0027]\n});\n```\n\nThat creates a mismatch: the allowlist authorizes one command token, but the shell interprets the whole string as a script.\n\nThe published `npm:praisonai@1.7.1` dist files preserve the same behavior:\n\n- `dist/cli/features/sandbox-executor.js` checks only `baseCmd`.\n- `dist/cli/features/sandbox-executor.js` later invokes `spawn(\"sh\", [\"-c\", command])`.\n- `dist/index.js` exports `SandboxExecutor`, `CommandValidator`, and `sandboxExec`.\n\n### Why This Is Not Intended Behavior\n\nPraisonAI\u0027s sandbox docs describe sandbox execution as a security feature for AI-generated commands, with command validation, resource limits, path restrictions, network isolation, and execution isolation. The TypeScript source also describes this component as \"Safe command execution with restrictions.\"\n\nWith `allowedCommands: [\"echo\"]`, PraisonAI correctly rejects `cat \u003cmarker\u003e` when submitted directly. That proves the intended policy is to block non-allowlisted executables. The same policy allowing `echo allowed; cat \u003cmarker\u003e` is therefore an authorization bypass, not merely a permissive configuration.\n\n## PoV\n\nRun from a local reproduction checkout:\n\n```bash\nnode poc/pov_poc.js 1.7.1\n```\n\nExpected output includes:\n\n```json\n{\n \"version\": \"1.7.1\",\n \"package\": \"npm:praisonai\",\n \"allowedCommands\": [\"echo\"],\n \"controls\": {\n \"directCatRejected\": true,\n \"benignEchoAllowed\": true,\n \"patchedControlRejectsChainedShell\": true\n },\n \"observed\": {\n \"directPolicy\": {\n \"allowed\": false,\n \"reason\": \"Command \u0027cat\u0027 not in allowlist\"\n },\n \"benignPolicy\": {\n \"allowed\": true\n },\n \"chainedPolicy\": {\n \"allowed\": true\n },\n \"chainedRun\": {\n \"success\": true,\n \"stdout\": \"allowed\\npoc.7.1\",\n \"stderr\": \"\",\n \"exitCode\": 0\n },\n \"patchedControl\": {\n \"benign\": {\n \"allowed\": true\n },\n \"direct\": {\n \"allowed\": false,\n \"reason\": \"Command \u0027cat\u0027 not in allowlist\"\n },\n \"chained\": {\n \"allowed\": false,\n \"reason\": \"shell metacharacter rejected before execution\"\n }\n }\n },\n \"vulnerable\": true\n}\n```\n\nInterpretation:\n\n- Direct `cat \u003cmarker\u003e` is rejected by the allowlist.\n- Benign `echo allowed` is accepted.\n- `echo allowed; cat \u003cmarker\u003e` is accepted by the same allowlist and executes the non-allowlisted `cat`.\n- A patched-control validator that rejects shell metacharacters before execution blocks the chained command while still allowing benign `echo`.\n\nThe PoV installs `npm:praisonai@1.7.1` into a temporary project, creates a temporary marker file, and reads only that file. It does not contact any live service or execute destructive commands.\n\n## PoC\n\nThe PoV section above contains the local reproduction command, input, and decisive output.\n\n## Impact\n\nIf lower-trust users, prompts, or model output can influence a command string sent to `SandboxExecutor` or `sandboxExec`, `allowedCommands` does not enforce the intended command boundary. An attacker can append arbitrary shell commands after an allowed first token and run them with the privileges of the PraisonAI process.\n\nConcrete consequences depend on the hosting application and configured process privileges, but can include reading or modifying files, invoking local tools, using available credentials, or causing denial of service.\n\nThis report does not claim that npm PraisonAI exposes this as a default network service. It is a library-level sandbox/allowlist bypass in an exported TypeScript API that is explicitly designed for safe command execution.\n\n### Severity\n\nSuggested severity: High.\n\nRationale:\n\n- `AV`: common deployment pattern is an application exposing agent prompts or command automation over a network.\n- `AC`: attacker only needs to induce or submit a command string that starts with an allowed command.\n- `PR`: conservative base score assumes the attacker can submit prompts or command requests to the application.\n- `UI`: no operator action is needed once the command reaches the executor.\n- `S`: impact is in the PraisonAI-hosting process.\n- `C/I/A`: arbitrary shell commands can affect confidentiality, integrity, and availability depending on process privileges.\n\nIf maintainers score only local CLI use, `AV:L` may be reasonable. If they score public unauthenticated prompt or command endpoints built on this API, `PR:N` may be reasonable.\n\n## Suggested Fix\n\nAvoid passing policy-checked user strings to a shell.\n\nRecommended:\n\n1. Require callers to pass `{ command, args }`, or parse command strings into argv with a shell-aware parser.\n2. Execute with `spawn(command, args, { shell: false })` / `execFile()` instead of `sh -c`.\n3. Apply `allowedCommands` to the exact executable after normalization.\n4. Reject shell metacharacters (`;`, `\u0026\u0026`, `||`, `|`, backticks, `$()`, newline, redirects) when a shell string API must be kept for compatibility.\n5. Add regression tests proving `allowedCommands: [\"echo\"]` allows `echo ok` but rejects `cat marker`, `echo ok; cat marker`, `echo ok \u0026\u0026 cat marker`, and `echo ok | cat marker`.\n\n## Affected Package/Versions\n\n- Repository: `MervinPraison/PraisonAI`\n- Package: `npm:praisonai`\n- Component: TypeScript CLI feature `SandboxExecutor`\n- Current head validated: `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n- Current tag validated: `v4.6.58`\n- Latest npm package validated: `1.7.1`\n\nSuggested affected range:\n\n```text\nnpm:praisonai \u003e= 1.2.3, \u003c= 1.7.1\n```\n\nSelected version sweep:\n\n- `1.0.0`: package main cannot be required in the selected test environment.\n- `1.2.0`, `1.2.1`, `1.2.2`: `SandboxExecutor` is not exported.\n- `1.2.3`: vulnerable.\n- `1.2.4`: vulnerable.\n- `1.3.0`: vulnerable.\n- `1.3.6`: vulnerable.\n- `1.4.0`: vulnerable.\n- `1.5.0`: vulnerable.\n- `1.5.4`: vulnerable.\n- `1.6.0`: vulnerable.\n- `1.7.0`: vulnerable.\n- `1.7.1`: vulnerable.\n\n## Advisory History\n\nThis is distinct from known and previously submitted PraisonAI issues:\n\n- `GHSA-r4f2-3m54-pp7q` covers PyPI `SubprocessSandbox` `shell=True` and blocklist bypass.\n- `GHSA-2763-cj5r-c79m` covers PyPI `praisonai` OS command injection.\n- `GHSA-v7px-3835-7gjx` covers PyPI `memory/hooks.py` shell injection.\n- `GHSA-4wr3-f4p3-5wjh` covers Python agent tool approval allow-list manipulation.\n- `GHSA-4mr5-g6f9-cfrh` covers PyPI/Python `execute_code` sandbox escape.\n- `GHSA-9qhq-v63v-fv3j` covers an incomplete fix for a Python command injection.\n- `GHSA-vmmj-pfw7-fjwp` covers npm `codeMode` host-process `new Function` sandbox escape.\n\nNo visible local or GitHub advisory covers npm TypeScript `SandboxExecutor`, `CommandValidator`, `allowedCommands`, or the first-token allowlist followed by `sh -c` shell-chaining root cause.",
"id": "GHSA-vjv9-7m7j-h833",
"modified": "2026-06-18T14:26:35Z",
"published": "2026-06-18T14:26:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vjv9-7m7j-h833"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "npm PraisonAI SandboxExecutor allowedCommands bypass via shell chaining"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.