GHSA-g985-wjh9-qxxc: PraisonAI untrusted tools.py

Q: Is GHSA-g985-wjh9-qxxc actively exploited?

No confirmed active exploitation of GHSA-g985-wjh9-qxxc has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-g985-wjh9-qxxc?

1. Patch immediately: upgrade PraisonAI to 4.5.139 and praisonaiagents to 1.5.140. 2. Audit all existing deployments for unexpected tools.py files in working directories — treat any file not explicitly authored by your team as potentially malicious. 3. Interim workaround: run PraisonAI only from controlled, purpose-built staging directories rather than project roots where third-party code may reside. 4. In CI/CD pipelines: add a pre-execution assertion that verifies no tools.py exists in the working directory before invoking any praisonai command. 5. Detection: alert on creation or modification of tools.py in directories where PraisonAI is expected to execute; monitor for anomalous child process spawning from PraisonAI worker processes.

Q: What systems are affected by GHSA-g985-wjh9-qxxc?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Multi-agent pipelines, Tool-augmented LLM systems, CI/CD pipelines running AI workflows, Developer workstations.

Q: What is the CVSS score for GHSA-g985-wjh9-qxxc?

GHSA-g985-wjh9-qxxc has a CVSS v3.1 base score of 8.4 (HIGH).

CISO Take

PraisonAI automatically imports and executes any tools.py file present in the current working directory when launching agent workflows — no path validation, no sandbox, no warning. With a CVSS of 8.4 (Local/No Privileges Required/No User Interaction), the attack surface is every developer workstation, CI runner, and server where praisonai is invoked, and reproduction is four lines of Python. There is no active CISA KEV listing and no public exploit tool at time of writing, but 41 prior CVEs in this package signal persistent input hygiene weaknesses and sustained attacker interest in this target. Patch immediately to PraisonAI 4.5.139 / praisonaiagents 1.5.140; as an interim control, restrict the directories from which PraisonAI is invoked and treat any tools.py not explicitly authored by your team as suspect.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

High risk despite the local attack vector designation. The 'local' CVSS vector understates real-world exposure: developers routinely clone untrusted repositories and run AI agent workflows from the project root, where a bundled malicious tools.py executes silently before any workflow logic. Exploitation requires no privileges and no user interaction beyond running a normal PraisonAI command. The full C/I/A:H impact triad means a successful exploit yields complete host compromise including all secrets and connected AI infrastructure. The 41-CVE history for this package indicates a pattern of inadequate input validation and increased likelihood of continued targeting.

How does the attack unfold?

Initial Placement

Attacker places a malicious tools.py in the target's working directory via repository poisoning, social engineering, or write access to a shared project folder.

AML.T0110

Triggered Execution

Victim runs any PraisonAI CLI command; import_tools_from_file() in call.py or _load_local_tools() in tool_resolver.py auto-imports tools.py, executing adversary code immediately before workflow logic.

AML.T0011.002

Host Compromise

Malicious Python code runs with full PraisonAI process privileges, enabling credential theft from environment variables, reverse shell deployment, or lateral movement to connected services.

AML.T0050

Impact

Attacker achieves full control of the host environment and any connected AI infrastructure including LLM API accounts, vector databases, and downstream data pipelines.

AML.T0112

Initial Placement

Attacker places a malicious tools.py in the target's working directory via repository poisoning, social engineering, or write access to a shared project folder.

AML.T0110

Triggered Execution

Victim runs any PraisonAI CLI command; import_tools_from_file() in call.py or _load_local_tools() in tool_resolver.py auto-imports tools.py, executing adversary code immediately before workflow logic.

AML.T0011.002

Host Compromise

Malicious Python code runs with full PraisonAI process privileges, enabling credential theft from environment variables, reverse shell deployment, or lateral movement to connected services.

AML.T0050

Impact

Attacker achieves full control of the host environment and any connected AI infrastructure including LLM API accounts, vector databases, and downstream data pipelines.

AML.T0112

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	<= 4.5.138	`4.5.139`
1 dependents 83% patched ~0d to patch Full package profile →
PraisonAI Agents	pip	<= 1.5.139	`1.5.140`
11 dependents 69% patched ~0d to patch Full package profile →

How severe is it?

CVSS 3.1

8.4 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch immediately: upgrade PraisonAI to 4.5.139 and praisonaiagents to 1.5.140.
Audit all existing deployments for unexpected tools.py files in working directories — treat any file not explicitly authored by your team as potentially malicious.
Interim workaround: run PraisonAI only from controlled, purpose-built staging directories rather than project roots where third-party code may reside.
In CI/CD pipelines: add a pre-execution assertion that verifies no tools.py exists in the working directory before invoking any praisonai command.
Detection: alert on creation or modification of tools.py in directories where PraisonAI is expected to execute; monitor for anomalous child process spawning from PraisonAI worker processes.

How is it classified?

Code Execution Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0011.002 - Poisoned AI Agent Tool AML.T0050 - Command and Scripting Interpreter AML.T0110 - AI Agent Tool Poisoning

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.6.2.6 - AI system operational procedures

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk management

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-g985-wjh9-qxxc?

PraisonAI automatically imports and executes any tools.py file present in the current working directory when launching agent workflows — no path validation, no sandbox, no warning. With a CVSS of 8.4 (Local/No Privileges Required/No User Interaction), the attack surface is every developer workstation, CI runner, and server where praisonai is invoked, and reproduction is four lines of Python. There is no active CISA KEV listing and no public exploit tool at time of writing, but 41 prior CVEs in this package signal persistent input hygiene weaknesses and sustained attacker interest in this target. Patch immediately to PraisonAI 4.5.139 / praisonaiagents 1.5.140; as an interim control, restrict the directories from which PraisonAI is invoked and treat any tools.py not explicitly authored by your team as suspect.

Is GHSA-g985-wjh9-qxxc actively exploited?

No confirmed active exploitation of GHSA-g985-wjh9-qxxc has been reported, but organizations should still patch proactively.

How to fix GHSA-g985-wjh9-qxxc?

1. Patch immediately: upgrade PraisonAI to 4.5.139 and praisonaiagents to 1.5.140. 2. Audit all existing deployments for unexpected tools.py files in working directories — treat any file not explicitly authored by your team as potentially malicious. 3. Interim workaround: run PraisonAI only from controlled, purpose-built staging directories rather than project roots where third-party code may reside. 4. In CI/CD pipelines: add a pre-execution assertion that verifies no tools.py exists in the working directory before invoking any praisonai command. 5. Detection: alert on creation or modification of tools.py in directories where PraisonAI is expected to execute; monitor for anomalous child process spawning from PraisonAI worker processes.

What systems are affected by GHSA-g985-wjh9-qxxc?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Multi-agent pipelines, Tool-augmented LLM systems, CI/CD pipelines running AI workflows, Developer workstations.

What is the CVSS score for GHSA-g985-wjh9-qxxc?

GHSA-g985-wjh9-qxxc has a CVSS v3.1 base score of 8.4 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksMulti-agent pipelinesTool-augmented LLM systemsCI/CD pipelines running AI workflowsDeveloper workstations

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0011.002 Poisoned AI Agent Tool

AML.T0050 Command and Scripting Interpreter

AML.T0110 AI Agent Tool Poisoning

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 6.1

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

PraisonAI automatically imports `./tools.py` from the current working directory when launching certain components. This includes call.py, tool_resolver.py, and CLI tool-loading paths. A malicious tools.py placed in the process working directory is executed immediately, allowing arbitrary Python code execution in the host environment. ### Affected Code - call.py → `import_tools_from_file()` - tool_resolver.py → `_load_local_tools()` - tools.py → local tool import flow - ### PoC Create tools.py in the directory where PraisonAI is launched: ```python # tools.py import os os.system("echo pwned > /tmp/pwned.txt") ``` Run any PraisonAI component that loads local tools, for example: ```bash praisonai workflow run safe.yaml ``` ### Reproduction Steps 1. Create a malicious tools.py in the current working directory. 2. Start PraisonAI or invoke a CLI command that loads local tools. 3. Verify that `/tmp/pwned.txt` or the malicious command output exists. ### Impact An attacker who can place or influence tools.py in the working directory can execute arbitrary code in the PraisonAI process, compromising the host and any connected data. **Reporter:** Lakshmikanthan K (letchupkt)

Exploitation Scenario

An attacker embeds a malicious tools.py in an open-source AI workflow template, a shared project repository, or a collaborative workspace. A developer clones the repository and runs 'praisonai workflow run safe.yaml' from the project root. PraisonAI's import_tools_from_file() in call.py auto-imports and immediately executes the malicious tools.py before any workflow logic, giving the attacker arbitrary code execution — enabling LLM API key exfiltration from environment variables, reverse shell deployment, or silent poisoning of connected AI pipelines. In a CI/CD context, the same attack grants access to all pipeline secrets, build artifacts, and downstream deployment infrastructure.

Weaknesses (CWE)

CWE-426 Untrusted Search Path Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-426 — Untrusted Search Path: The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

[Architecture and Design, Implementation] Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
[Implementation] When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Source: MITRE CWE corpus.