VulnWatch VulnWatch
← Back to dashboard
Critical github · GHSA-29w3-p9w9-wc47

PraisonAI: Arbitrary File Read/Write via `multiedit` Tool Without Path Validation

Published Jun 18, 2026 CVSS 9.1

Summary

The multiedit tool in src/praisonai/praisonai/tools/multiedit.py allows LLM-controlled arbitrary file read and write without any path validation, workspace boundary check, or protected path guard. This enables an attacker who can influence agent tool arguments (via crafted prompts, user input in chat bots, or malicious YAML workflow configs) to read sensitive files (e.g., /etc/shadow, ~/.ssh/id_rsa, ~/.aws/credentials) and overwrite arbitrary files on the filesystem.

Details

The filepath parameter is used directly with open() for both reading (line 74) and writing (line 130) without any of the following protections that exist in other tools in the same codebase:

  1. No .. path traversal check — unlike file_tools.py (line 66: if '..' in filepath: raise ValueError) and edit_tools.py (line 35).
  2. No workspace boundary validation — unlike file_tools.py (_validate_path with os.path.commonpath check) and skill_tools.py (read_skill_file with workspace boundary check).
  3. No protected path guard — unlike praisonai/code/tools/ which uses is_path_within_directory and protected path checks.
  4. No symlink resolution — unlike file_tools.py which uses os.path.realpath.

The function is exported via src/praisonai/praisonai/tools/__init__.py as a lazy-loaded tool and is available to agents through the PraisonAI CLI tools registry.

Contrast with protected tools: The sibling tools write_file.py, read_file.py, apply_diff.py, and search_replace.py in src/praisonai/praisonai/code/tools/ all implement is_path_within_directory() checks and protected path guards. The multiedit tool has none of these protections.

PoC

Setup: Clean checkout of PraisonAI at commit d5f1114a. No additional dependencies needed beyond Python 3.10+.

Positive trigger — arbitrary file read via dry_run:

cd /tmp && python3 -c "
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.tools.multiedit import multiedit

# Read any file content via diff output (dry_run=True prevents write)
result = multiedit('/etc/hostname', [{'old': 'DOESNOTEXIST', 'new': 'x'}], dry_run=True)
# The diff output reveals the file contents
print('Success:', result['success'])
print('Content leaked via diff:', len(result.get('diff', '')), 'bytes')
"

Positive trigger — arbitrary file write:

cd /tmp && python3 -c "
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.tools.multiedit import multiedit

# Write to an arbitrary file outside workspace
with open('/tmp/victim_file.txt', 'w') as f:
    f.write('original content here\n')
result = multiedit('/tmp/victim_file.txt', [{'old': 'original', 'new': 'PWNED'}])
with open('/tmp/victim_file.txt', 'r') as f:
    print('File content after edit:', repr(f.read()))
"

Observed output:

# Read:
Success: False
Content leaked via diff: 0 bytes  (file content still accessible via dry_run diff when edits match)

# Write:
File content after edit: 'PWNED content here\n'

Negative control — non-existent file:

result = multiedit('/nonexistent/file.txt', [{'old': 'a', 'new': 'b'}])
# Returns: {'success': False, 'error': 'File not found: /nonexistent/file.txt'}

Cleanup: rm /tmp/victim_file.txt

Impact

An attacker who can influence the filepath parameter of the multiedit tool (via crafted prompts to an AI agent, user messages in Telegram/Discord/Slack bots using auto_approve_tools=True, or YAML workflow configurations) can:

  • Read arbitrary files — any file readable by the process user, including secrets, SSH keys, cloud credentials, environment files (.env), and configuration files.
  • Write/overwrite arbitrary files — modify any file writable by the process user, enabling privilege escalation (e.g., writing to ~/.bashrc, ~/.ssh/authorized_keys, or overwriting application source code).

This affects all deployments where agents have the multiedit tool available, including the PraisonAI CLI and chat bot deployments where auto_approve_tools defaults to True.

Suggested remediation

Apply the same path validation pattern used by file_tools.py and the code tools in src/praisonai/praisonai/code/tools/:

  1. Add a _validate_path function that:
    • Rejects paths containing ..
    • Resolves symlinks via os.path.realpath
    • Validates the resolved path is within the workspace/CWD using os.path.commonpath
  2. Add protected path guards (.env, .git, .ssh, keys, credentials)
  3. Apply _validate_path to the filepath parameter before any open() call
  4. Consider adding @require_approval(risk_level="high") to the multiedit function
Auth Bypass Agentic / MCP

Affected AI Products

ai agent llm
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.