GHSA-r9x3-wx45-2v7f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r9x3-wx45-2v7f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r9x3-wx45-2v7f/GHSA-r9x3-wx45-2v7f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r9x3-wx45-2v7f
- Aliases
-
- CVE-2026-39308
- Published
- 2026-04-06T23:09:19Z
- Modified
- 2026-04-07T22:21:53.147353Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L CVSS Calculator
- Summary
- PraisonAI recipe registry publish path traversal allows out-of-root file write
- Details
-
Summary
PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal
manifest.jsonbefore it verifies that the manifestnameandversionmatch the HTTP route. A malicious publisher can place../traversal sequences in the bundle manifest and cause the registry server to create files outside the configured registry root even though the request is ultimately rejected with HTTP400.This is an arbitrary file write / path traversal issue on the registry host. It affects deployments that expose the recipe registry publish flow. If the registry is intentionally run without a token, any network client that can reach the service can trigger it. If a token is configured, any user with publish access can still exploit it.
Details
The bug is caused by the order of operations between the HTTP handler and the registry storage layer.
RegistryServer._handle_publish()insrc/praisonai/praisonai/recipe/server.py:370-426parsesPOST /v1/recipes/{name}/{version}, writes the uploaded.praisonfile to a temporary path, and immediately calls:
result = self.registry.publish(tmp_path, force=force)LocalRegistry.publish()insrc/praisonai/praisonai/recipe/registry.py:214-287opens the uploaded tarball, readsmanifest.json, and trusts the attacker-controllednameandversionfields:
name = manifest.get("name") version = manifest.get("version") recipe_dir = self.recipes_path / name / version recipe_dir.mkdir(parents=True, exist_ok=True) bundle_name = f"{name}-{version}.praison" dest_path = recipe_dir / bundle_name shutil.copy2(bundle_path, dest_path)- Validation helpers already exist in the same file:
def _validate_name(name: str) -> bool: def _validate_version(version: str) -> bool:but they are not called before the filesystem write.
- Only after
publish()returns does the route compare the manifest values with the URL values:
if result["name"] != name or result["version"] != version: self.registry.delete(result["name"], result["version"]) return self._error_response(...)At that point the out-of-root artifact has already been created. The request returns an error, but the write outside the registry root remains on disk.
Verified vulnerable behavior:
- Request path:
/v1/recipes/safe/1.0.0 - Internal manifest name:
../../outside-dir - Server response: HTTP
400 - Leftover artifact:
/tmp/praisonai-publish-traversal-poc/outside-dir-1.0.0.praison
This demonstrates that the write occurs before the consistency check and rollback.
PoC
Run the single verification script from the checked-out repository:
cd "/Users/r1zzg0d/Documents/CVE hunting/targets/PraisonAI" python3 tmp/pocs/poc.pyExpected vulnerable output:
[+] Publish response status: 400 { "ok": false, "error": "Bundle name/version (../../outside-dir@1.0.0) doesn't match URL (safe@1.0.0)", "code": "error" } [+] Leftover artifact exists: True [+] Artifact under registry root: False [+] RESULT: VULNERABLE - upload was rejected, but an out-of-root artifact was still created.Then verify the artifact manually:
ls -l /tmp/praisonai-publish-traversal-poc/outside-dir-1.0.0.praison find /tmp/praisonai-publish-traversal-poc -maxdepth 2 | sortWhat the script does internally:
- Starts a local PraisonAI recipe registry server.
- Builds a malicious
.praisonbundle whose internalmanifest.jsoncontainsname = ../../outside-dir. - Uploads that bundle to the apparently safe route
/v1/recipes/safe/1.0.0. - Receives the expected
400mismatch error. - Confirms that
outside-dir-1.0.0.praisonwas still written outside the configured registry directory.
Impact
This is a path traversal / arbitrary file write vulnerability in the recipe registry publish flow.
Impacted parties:
- Registry operators running the PraisonAI recipe registry service.
- Any deployment that allows remote recipe publication.
- Any environment where adjacent writable filesystem locations contain sensitive application data, service files, or staged content that could be overwritten or planted.
Security impact:
- Integrity impact is high because an attacker can create or overwrite files outside the registry root.
- Availability impact is possible if the attacker targets adjacent runtime or application files.
- The issue can be chained with other local loading or deployment behaviors if nearby files are later consumed by another component.
Remediation
Validate
manifest.jsonnameandversionbefore any path join or filesystem write. Reject path separators,.., absolute paths, and any value that fails the existing_validate_name()/_validate_version()checks.Resolve the final destination path and enforce that it remains under the configured registry root before calling
mkdir()orcopy2(). For example, compare the resolved destination againstself.recipes_path.resolve().Move the URL-to-manifest consistency check ahead of
self.registry.publish(...), or refactorpublish()so it receives already-validated route parameters instead of trusting attacker-controlled manifest values for storage paths.
- Database specific
{ "nvd_published_at": "2026-04-07T17:16:36Z", "severity": "HIGH", "github_reviewed_at": "2026-04-06T23:09:19Z", "cwe_ids": [ "CWE-22" ], "github_reviewed": true }- References
Affected packages
PyPI / praisonai
Package
- Name
- praisonai
- View open source insights on deps.dev
- Purl
- pkg:pypi/praisonai
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.5.113