GHSA-32VR-5GCF-3PW2

Vulnerability from github – Published: 2026-04-08 19:17 – Updated: 2026-04-09 14:29
VLAI?
Summary
PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading
Details

Summary

The AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server.

Details

The vulnerability exists in the YAML deserialization process. The js-yaml library's load function is used without specifying a safe schema (e.g., JSON_SCHEMA or DEFAULT_SAFE_SCHEMA). This enables the parsing of JavaScript functions and other dangerous types. When a malicious YAML file containing a !!js/function tag is parsed, the function is evaluated, leading to arbitrary code execution.

The vulnerable code is located in src/agents/agent.service.ts at line 55.

PoC

An attacker can create a malicious agent YAML file with the following content:

!!js/function >
  function(){ require('child_process').execSync('touch /tmp/pwned') }

Then, upload this file as an agent definition via the API endpoint that uses AgentService.loadAgentFromFile. When the agent is loaded (either during startup or via an API call that triggers loading), the payload will execute the command touch /tmp/pwned, demonstrating arbitrary code execution.

Impact

This vulnerability allows an unauthenticated attacker (if the API endpoint is unprotected) or an authenticated attacker with the ability to upload agent definitions to execute arbitrary code on the server. This can lead to complete compromise of the server, data theft, or further network penetration.

Recommended Fix

Replace the unsafe load method with a safe alternative. Specifically, use the load method with a safe schema, such as JSON_SCHEMA or DEFAULT_SAFE_SCHEMA. For example:

import yaml from 'js-yaml';
import { JSON_SCHEMA } from 'js-yaml';

// In the loadAgentFromFile method
const agent = yaml.load(fileContent, { schema: JSON_SCHEMA });

Alternatively, if the application requires only a subset of YAML features, consider using the safeLoad method from an older version (though note it was deprecated). The key is to avoid loading tags that can execute code.

Additionally, validate and sanitize all user input, especially file uploads. Ensure that agent definition files are only uploaded by trusted users and consider storing them in a secure location with proper access controls.

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.5.114"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.115"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T19:17:11Z",
    "nvd_published_at": "2026-04-08T21:17:01Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\nThe `AgentService.loadAgentFromFile` method uses the `js-yaml` library to parse YAML files without disabling dangerous tags (such as `!!js/function` and `!!js/undefined`). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server.\n\n## Details\nThe vulnerability exists in the YAML deserialization process. The `js-yaml` library\u0027s `load` function is used without specifying a safe schema (e.g., `JSON_SCHEMA` or `DEFAULT_SAFE_SCHEMA`). This enables the parsing of JavaScript functions and other dangerous types. When a malicious YAML file containing a `!!js/function` tag is parsed, the function is evaluated, leading to arbitrary code execution.\n\nThe vulnerable code is located in `src/agents/agent.service.ts` at line 55.\n\n## PoC\nAn attacker can create a malicious agent YAML file with the following content:\n```yaml\n!!js/function \u003e\n  function(){ require(\u0027child_process\u0027).execSync(\u0027touch /tmp/pwned\u0027) }\n```\nThen, upload this file as an agent definition via the API endpoint that uses `AgentService.loadAgentFromFile`. When the agent is loaded (either during startup or via an API call that triggers loading), the payload will execute the command `touch /tmp/pwned`, demonstrating arbitrary code execution.\n\n## Impact\nThis vulnerability allows an unauthenticated attacker (if the API endpoint is unprotected) or an authenticated attacker with the ability to upload agent definitions to execute arbitrary code on the server. This can lead to complete compromise of the server, data theft, or further network penetration.\n\n## Recommended Fix\nReplace the unsafe `load` method with a safe alternative. Specifically, use the `load` method with a safe schema, such as `JSON_SCHEMA` or `DEFAULT_SAFE_SCHEMA`. For example:\n\n```typescript\nimport yaml from \u0027js-yaml\u0027;\nimport { JSON_SCHEMA } from \u0027js-yaml\u0027;\n\n// In the loadAgentFromFile method\nconst agent = yaml.load(fileContent, { schema: JSON_SCHEMA });\n```\n\nAlternatively, if the application requires only a subset of YAML features, consider using the `safeLoad` method from an older version (though note it was deprecated). The key is to avoid loading tags that can execute code.\n\nAdditionally, validate and sanitize all user input, especially file uploads. Ensure that agent definition files are only uploaded by trusted users and consider storing them in a secure location with proper access controls.",
  "id": "GHSA-32vr-5gcf-3pw2",
  "modified": "2026-04-09T14:29:45Z",
  "published": "2026-04-08T19:17:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39890"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.115"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.