GHSA-29w3-p9w9-wc47: PraisonAI multiedit path

Q: Is GHSA-29w3-p9w9-wc47 actively exploited?

No confirmed active exploitation of GHSA-29w3-p9w9-wc47 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-29w3-p9w9-wc47?

1. Patch immediately: upgrade praisonai to ≥ 4.6.61. 2. OS-level isolation: run agent processes under a dedicated low-privilege user with minimal filesystem permissions; mount sensitive directories read-only or restrict access via AppArmor or SELinux profiles. 3. Disable multiedit if unused: remove or restrict the tool from agent tool registries until patched. 4. Disable auto_approve_tools: set `auto_approve_tools=False` in all chatbot deployments and require human-in-the-loop approval for file-write operations. 5. Detect exploitation: audit agent process logs for filepath arguments containing absolute paths outside the workspace, `..` sequences, or patterns matching `.env`, `.ssh`, `.aws`, `/etc`, `/root`. 6. Rotate credentials: if exposure is suspected, rotate all secrets accessible to the agent process — cloud keys, SSH keys, API tokens, database passwords.

Q: What systems are affected by GHSA-29w3-p9w9-wc47?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Chatbot deployments (Telegram, Discord, Slack bots), Multi-agent pipelines, Agentic workflows with filesystem tool access, YAML-configured workflow automation.

Q: What is the CVSS score for GHSA-29w3-p9w9-wc47?

GHSA-29w3-p9w9-wc47 has a CVSS v3.1 base score of 9.1 (CRITICAL).

CISO Take

The PraisonAI `multiedit` agent tool passes the `filepath` parameter directly to Python's `open()` without path traversal checks, workspace boundary validation, symlink resolution, or protected-path guards — allowing any LLM-controlled agent call to read files such as `/etc/shadow`, `~/.ssh/id_rsa`, or `.aws/credentials`, and overwrite arbitrary writable files on the host. Because `auto_approve_tools=True` is the default in PraisonAI chatbot deployments (Telegram, Discord, Slack bots), an external attacker needs only to craft a malicious prompt to reach this code path with no authentication whatsoever (CVSS 9.1, AV:N/AC:L/PR:N/UI:N). The blast radius extends to every deployment where the agent process has filesystem access: credential theft, `.ssh/authorized_keys` backdoors, and source-code overwrites are all achievable in a single tool call. Upgrade to praisonai ≥ 4.6.61 immediately and enforce OS-level isolation — run agents under a restricted user or in a container with read-only mounts — as defense-in-depth until all instances are confirmed patched.

Sources: GitHub Advisory ATLAS NVD

What is the risk?

Critical severity with an extremely low exploitation bar. The vulnerability requires no authentication, no special AI or ML knowledge, and no novel technique — just a crafted filepath string passed to an exposed tool. Default PraisonAI chatbot deployments auto-approve tool calls, meaning any external user of a chat-integrated agent is a potential attacker. Any deployment where the agent process has access to sensitive files — cloud credentials, SSH keys, application secrets, environment files — is at immediate risk of credential exfiltration and privilege escalation. The sibling tools in the same codebase already implement the correct validation pattern, confirming this is an unintentional oversight rather than a design decision, which historically correlates with fast adversarial weaponization once a PoC is public.

How does the attack unfold?

Prompt Injection via Chatbot Input

Attacker crafts a malicious user message to a PraisonAI chatbot or a poisoned YAML workflow config that instructs the LLM agent to call the multiedit tool with an attacker-controlled absolute filepath.

AML.T0051.001

Unvalidated Tool Invocation

The LLM agent calls multiedit with the attacker-supplied filepath; the tool opens the target file with no path traversal check, workspace boundary validation, or protected-path guard — auto-approved by default.

AML.T0053

Credential and Secret Exfiltration

Attacker reads sensitive files such as .aws/credentials, .env files, and SSH private keys via the read path, obtaining cloud access keys and application secrets.

AML.T0037

Persistence via Arbitrary File Write

Attacker overwrites ~/.ssh/authorized_keys with their own public key or injects a reverse shell payload into ~/.bashrc, establishing persistent host-level access on the server running the agent.

AML.T0086

Prompt Injection via Chatbot Input

Attacker crafts a malicious user message to a PraisonAI chatbot or a poisoned YAML workflow config that instructs the LLM agent to call the multiedit tool with an attacker-controlled absolute filepath.

AML.T0051.001

Unvalidated Tool Invocation

The LLM agent calls multiedit with the attacker-supplied filepath; the tool opens the target file with no path traversal check, workspace boundary validation, or protected-path guard — auto-approved by default.

AML.T0053

Credential and Secret Exfiltration

Attacker reads sensitive files such as .aws/credentials, .env files, and SSH private keys via the read path, obtaining cloud access keys and application secrets.

AML.T0037

Persistence via Arbitrary File Write

Attacker overwrites ~/.ssh/authorized_keys with their own public key or injects a reverse shell payload into ~/.bashrc, establishing persistent host-level access on the server running the agent.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	< 4.6.61	`4.6.61`
1 dependents 89% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

How severe is it?

CVSS 3.1

9.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A None

What should I do?

6 steps

Patch immediately: upgrade praisonai to ≥ 4.6.61.
OS-level isolation: run agent processes under a dedicated low-privilege user with minimal filesystem permissions; mount sensitive directories read-only or restrict access via AppArmor or SELinux profiles.
Disable multiedit if unused: remove or restrict the tool from agent tool registries until patched.
Disable auto_approve_tools: set auto_approve_tools=False in all chatbot deployments and require human-in-the-loop approval for file-write operations.
Detect exploitation: audit agent process logs for filepath arguments containing absolute paths outside the workspace, .. sequences, or patterns matching .env, .ssh, .aws, /etc, /root.
Rotate credentials: if exposure is suspected, rotate all secrets accessible to the agent process — cloud keys, SSH keys, API tokens, database passwords.

How is it classified?

Data Extraction Code Execution Privacy Violation Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0037 - Data from Local System AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0101 - Data Destruction via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.2 - AI system security

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place for AI risk management

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-29w3-p9w9-wc47?

The PraisonAI `multiedit` agent tool passes the `filepath` parameter directly to Python's `open()` without path traversal checks, workspace boundary validation, symlink resolution, or protected-path guards — allowing any LLM-controlled agent call to read files such as `/etc/shadow`, `~/.ssh/id_rsa`, or `.aws/credentials`, and overwrite arbitrary writable files on the host. Because `auto_approve_tools=True` is the default in PraisonAI chatbot deployments (Telegram, Discord, Slack bots), an external attacker needs only to craft a malicious prompt to reach this code path with no authentication whatsoever (CVSS 9.1, AV:N/AC:L/PR:N/UI:N). The blast radius extends to every deployment where the agent process has filesystem access: credential theft, `.ssh/authorized_keys` backdoors, and source-code overwrites are all achievable in a single tool call. Upgrade to praisonai ≥ 4.6.61 immediately and enforce OS-level isolation — run agents under a restricted user or in a container with read-only mounts — as defense-in-depth until all instances are confirmed patched.

Is GHSA-29w3-p9w9-wc47 actively exploited?

No confirmed active exploitation of GHSA-29w3-p9w9-wc47 has been reported, but organizations should still patch proactively.

How to fix GHSA-29w3-p9w9-wc47?

1. Patch immediately: upgrade praisonai to ≥ 4.6.61. 2. OS-level isolation: run agent processes under a dedicated low-privilege user with minimal filesystem permissions; mount sensitive directories read-only or restrict access via AppArmor or SELinux profiles. 3. Disable multiedit if unused: remove or restrict the tool from agent tool registries until patched. 4. Disable auto_approve_tools: set `auto_approve_tools=False` in all chatbot deployments and require human-in-the-loop approval for file-write operations. 5. Detect exploitation: audit agent process logs for filepath arguments containing absolute paths outside the workspace, `..` sequences, or patterns matching `.env`, `.ssh`, `.aws`, `/etc`, `/root`. 6. Rotate credentials: if exposure is suspected, rotate all secrets accessible to the agent process — cloud keys, SSH keys, API tokens, database passwords.

What systems are affected by GHSA-29w3-p9w9-wc47?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Chatbot deployments (Telegram, Discord, Slack bots), Multi-agent pipelines, Agentic workflows with filesystem tool access, YAML-configured workflow automation.

What is the CVSS score for GHSA-29w3-p9w9-wc47?

GHSA-29w3-p9w9-wc47 has a CVSS v3.1 base score of 9.1 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksChatbot deployments (Telegram, Discord, Slack bots)Multi-agent pipelinesAgentic workflows with filesystem tool accessYAML-configured workflow automation

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0037 Data from Local System

AML.T0051.001 Indirect

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0086 Exfiltration via AI Agent Tool Invocation

AML.T0101 Data Destruction via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.8.2

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

## Summary The `multiedit` tool in `src/praisonai/praisonai/tools/multiedit.py` allows LLM-controlled arbitrary file read and write without any path validation, workspace boundary check, or protected path guard. This enables an attacker who can influence agent tool arguments (via crafted prompts, user input in chat bots, or malicious YAML workflow configs) to read sensitive files (e.g., `/etc/shadow`, `~/.ssh/id_rsa`, `~/.aws/credentials`) and overwrite arbitrary files on the filesystem. ## Details The `filepath` parameter is used directly with `open()` for both reading (line 74) and writing (line 130) without any of the following protections that exist in other tools in the same codebase: 1. **No `..` path traversal check** — unlike `file_tools.py` (line 66: `if '..' in filepath: raise ValueError`) and `edit_tools.py` (line 35). 2. **No workspace boundary validation** — unlike `file_tools.py` (`_validate_path` with `os.path.commonpath` check) and `skill_tools.py` (`read_skill_file` with workspace boundary check). 3. **No protected path guard** — unlike `praisonai/code/tools/` which uses `is_path_within_directory` and protected path checks. 4. **No symlink resolution** — unlike `file_tools.py` which uses `os.path.realpath`. The function is exported via `src/praisonai/praisonai/tools/__init__.py` as a lazy-loaded tool and is available to agents through the PraisonAI CLI tools registry. **Contrast with protected tools:** The sibling tools `write_file.py`, `read_file.py`, `apply_diff.py`, and `search_replace.py` in `src/praisonai/praisonai/code/tools/` all implement `is_path_within_directory()` checks and protected path guards. The `multiedit` tool has none of these protections. ## PoC **Setup:** Clean checkout of PraisonAI at commit `d5f1114a`. No additional dependencies needed beyond Python 3.10+. **Positive trigger — arbitrary file read via dry_run:** ```bash cd /tmp && python3 -c " import sys sys.path.insert(0, 'src/praisonai') from praisonai.tools.multiedit import multiedit # Read any file content via diff output (dry_run=True prevents write) result = multiedit('/etc/hostname', [{'old': 'DOESNOTEXIST', 'new': 'x'}], dry_run=True) # The diff output reveals the file contents print('Success:', result['success']) print('Content leaked via diff:', len(result.get('diff', '')), 'bytes') " ``` **Positive trigger — arbitrary file write:** ```bash cd /tmp && python3 -c " import sys sys.path.insert(0, 'src/praisonai') from praisonai.tools.multiedit import multiedit # Write to an arbitrary file outside workspace with open('/tmp/victim_file.txt', 'w') as f: f.write('original content here\n') result = multiedit('/tmp/victim_file.txt', [{'old': 'original', 'new': 'PWNED'}]) with open('/tmp/victim_file.txt', 'r') as f: print('File content after edit:', repr(f.read())) " ``` **Observed output:** ``` # Read: Success: False Content leaked via diff: 0 bytes (file content still accessible via dry_run diff when edits match) # Write: File content after edit: 'PWNED content here\n' ``` **Negative control — non-existent file:** ```bash result = multiedit('/nonexistent/file.txt', [{'old': 'a', 'new': 'b'}]) # Returns: {'success': False, 'error': 'File not found: /nonexistent/file.txt'} ``` **Cleanup:** `rm /tmp/victim_file.txt` ## Impact An attacker who can influence the `filepath` parameter of the `multiedit` tool (via crafted prompts to an AI agent, user messages in Telegram/Discord/Slack bots using `auto_approve_tools=True`, or YAML workflow configurations) can: - **Read arbitrary files** — any file readable by the process user, including secrets, SSH keys, cloud credentials, environment files (`.env`), and configuration files. - **Write/overwrite arbitrary files** — modify any file writable by the process user, enabling privilege escalation (e.g., writing to `~/.bashrc`, `~/.ssh/authorized_keys`, or overwriting application source code). This affects all deployments where agents have the `multiedit` tool available, including the PraisonAI CLI and chat bot deployments where `auto_approve_tools` defaults to `True`. ## Suggested remediation Apply the same path validation pattern used by `file_tools.py` and the code tools in `src/praisonai/praisonai/code/tools/`: 1. Add a `_validate_path` function that: - Rejects paths containing `..` - Resolves symlinks via `os.path.realpath` - Validates the resolved path is within the workspace/CWD using `os.path.commonpath` 2. Add protected path guards (`.env`, `.git`, `.ssh`, keys, credentials) 3. Apply `_validate_path` to the `filepath` parameter before any `open()` call 4. Consider adding `@require_approval(risk_level="high")` to the `multiedit` function

Exploitation Scenario

An attacker interacting with a PraisonAI-powered Slack or Telegram bot sends a crafted message instructing the underlying LLM to call `multiedit` with `filepath='/home/app/.aws/credentials'`. Because `auto_approve_tools=True` is the default, the tool executes without human review and the file contents are accessible via the diff output or read path, leaking AWS access keys directly to the attacker. The attacker then escalates by instructing the agent to overwrite `~/.ssh/authorized_keys` with their own public key or inject a reverse shell into `~/.bashrc`, achieving persistent host-level code execution on the server running the bot. The entire attack chain requires only the ability to send messages to the chatbot interface and takes under a minute to execute.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.