📄 Description (English)
PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls tar.extractall(dest_dir) without filter="data". A bundle that contains a symlink with a name inside dest_dir but a linkname pointing outside it, followed by a regular file whose path traverses through the just-created symlink, escapes dest_dir and lets the attacker write arbitrary content to an attacker-chosen location on the victim's filesystem. This issue has been patched in version 4.6.37.
🤖 AI Executive Summary
PraisonAI versions prior to 4.6.37 contain a critical path traversal vulnerability in archive extraction that allows attackers to write arbitrary files to the filesystem through symlink exploitation. The vulnerability affects recipe pull, publish, and unpack operations, enabling remote code execution when combined with executable file placement. This poses significant risk to organizations using PraisonAI for AI agent orchestration and automation workflows.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 13, 2026 00:18
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations leveraging PraisonAI for AI-driven automation face critical risk, particularly in: (1) Government digital transformation initiatives using AI agents for process automation; (2) Banking sector deploying PraisonAI for fraud detection and customer service automation; (3) ARAMCO and energy sector using AI agents for operational optimization; (4) Telecom operators (STC, Mobily) implementing AI-based network management; (5) Healthcare institutions using AI agents for administrative automation. The vulnerability enables arbitrary code execution, potentially compromising sensitive data, operational systems, and regulatory compliance (SAMA, NCA requirements).
🏢 Affected Saudi Sectors
Government and Digital Transformation
Banking and Financial Services
Energy and Oil & Gas (ARAMCO)
Telecommunications (STC, Mobily)
Healthcare and Medical Services
Insurance and Financial Technology
Retail and E-commerce
Manufacturing and Industrial Automation
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running PraisonAI versions < 4.6.37 using asset inventory and dependency scanning
2. Disable or restrict access to recipe pull, publish, and unpack operations until patching is complete
3. Implement network segmentation to limit PraisonAI process privileges and filesystem access
4. Monitor for suspicious file creation patterns in PraisonAI working directories
PATCHING GUIDANCE:
1. Upgrade PraisonAI to version 4.6.37 or later immediately
2. Verify patch application by checking version output: praisonai --version
3. Restart all PraisonAI services and dependent applications
4. Test recipe operations in isolated environment before production deployment
COMPENSATING CONTROLS (if immediate patching delayed):
1. Run PraisonAI processes with minimal filesystem permissions (dedicated user, restricted directories)
2. Disable symlink support at filesystem level where possible (mount with nosymfollow)
3. Implement strict input validation on recipe sources - whitelist trusted repositories only
4. Use AppArmor/SELinux profiles to restrict PraisonAI file write operations
5. Deploy file integrity monitoring (AIDE, Tripwire) on critical system directories
DETECTION RULES:
1. Monitor for tar/archive extraction operations with symlink creation: auditctl -w /path/to/praisonai -p wa -k praisonai_extract
2. Alert on unexpected file creation outside designated PraisonAI directories
3. Log all recipe pull/publish/unpack operations with source validation
4. Detect symlink creation followed by path traversal patterns in process syscalls
5. Monitor for PraisonAI process writing to system directories (/etc, /usr/bin, /var/www)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل إصدارات PraisonAI < 4.6.37 باستخدام مسح المخزون والتبعيات
2. تعطيل أو تقييد الوصول إلى عمليات سحب الوصفات ونشرها وفك حزمها حتى اكتمال التصحيح
3. تنفيذ تقسيم الشبكة لتحديد امتيازات عملية PraisonAI والوصول إلى نظام الملفات
4. مراقبة أنماط إنشاء الملفات المريبة في أدلة عمل PraisonAI
إرشادات التصحيح:
1. ترقية PraisonAI إلى الإصدار 4.6.37 أو أحدث على الفور
2. التحقق من تطبيق التصحيح بفحص إخراج الإصدار: praisonai --version
3. إعادة تشغيل جميع خدمات PraisonAI والتطبيقات التابعة
4. اختبار عمليات الوصفات في بيئة معزولة قبل نشر الإنتاج
الضوابط البديلة (إذا تأخر التصحيح الفوري):
1. تشغيل عمليات PraisonAI بأقل صلاحيات نظام ملفات (مستخدم مخصص، أدلة مقيدة)
2. تعطيل دعم الروابط الرمزية على مستوى نظام الملفات حيث أمكن (التثبيت مع nosymfollow)
3. تنفيذ التحقق الصارم من المدخلات على مصادر الوصفات - قائمة بيضاء للمستودعات الموثوقة فقط
4. استخدام ملفات تعريف AppArmor/SELinux لتقييد عمليات كتابة ملفات PraisonAI
5. نشر مراقبة سلامة الملفات (AIDE، Tripwire) على الأدلة الحرجة للنظام
قواعد الكشف:
1. مراقبة عمليات استخراج tar/archive مع إنشاء الروابط الرمزية
2. تنبيه عند إنشاء ملفات غير متوقعة خارج أدلة PraisonAI المخصصة
3. تسجيل جميع عمليات سحب/نشر/فك حزم الوصفات مع التحقق من المصدر
4. كشف إنشاء الروابط الرمزية متبوعاً بأنماط اجتياز المسارات في استدعاءات النظام
5. مراقبة عملية PraisonAI الكتابة إلى أدلة النظام
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information security policies and procedures
ECC 2024 A.8.1.1 - User access management and authentication
ECC 2024 A.12.2.1 - Change management procedures
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.14.2.1 - Secure development and change control
🔵 SAMA CSF
SAMA CSF ID.GV-1 - Organizational context and governance
SAMA CSF PR.IP-1 - Information security policy and procedures
SAMA CSF PR.IP-12 - Software development and change management
SAMA CSF DE.CM-8 - Vulnerability scanning and management
SAMA CSF RS.MI-2 - Incident response and recovery procedures
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for information security
ISO 27001:2022 A.8.1 - User access management
ISO 27001:2022 A.12.2 - Change management
ISO 27001:2022 A.12.6 - Management of technical vulnerabilities
ISO 27001:2022 A.14.2 - Secure development and change control
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 6.3.1 - Vulnerability identification and remediation
PCI DSS 11.2 - Vulnerability scanning and assessment
📦 Affected Products / CPE 1 entries
praison:praisonai