Path traversal in PraisonAI recipe unpack enables file overwrite
TL;DR — A crafted .praison archive can write files outside the target directory when unpacked, enabling arbitrary file overwrite on developer machines or build hosts that run praisonai recipe unpack.
What happened
PraisonAI is a Python-based “multi-agent teams” system that includes a CLI for working with recipe bundles (.praison). A GitHub Security Advisory reports a Critical path traversal issue in the cmd_unpack flow: the CLI extracts tar members using tar.extract() without validating member paths, so entries like ../../.bashrc can be written outside the intended output directory.
| Item | Source value |
|---|---|
| Affected software | pip package praisonai |
| Vulnerable command | praisonai recipe unpack |
| Impact | Arbitrary file write via path traversal during tar extraction |
| Severity | Critical, CVSS v4 base score 9.4 |
| Affected versions | >= 2.7.2 |
| Patched versions | >= 4.5.128 |
The advisory includes a proof-of-concept bundle that writes ../../.bashrc during extraction, and notes that other CLI paths (e.g., pull and publish) already use a safer extraction helper.
Archive-extraction path traversal (“Zip Slip” / tar traversal) remains a high-leverage supply-chain pattern: it turns “open a bundle” workflows into filesystem write primitives, which frequently become credential theft or code execution via config/script overwrite.
Who is impacted
- Any environment running
praisonaiversions>= 2.7.2and usingpraisonai recipe unpack. - Developers or CI/build hosts that unpack
.praisonbundles from untrusted or weakly-trusted sources (shared recipe repositories, tutorial downloads, direct file sharing). - Higher-risk setups where the unpack destination is close (in path terms) to sensitive files (shell startup files like
~/.bashrc/~/.zshrc, SSHauthorized_keys, cron configs, or adjacent project/workspace directories).
What to do now
- Follow vendor remediation guidance and apply the patched release (
praisonai >= 4.5.128) referenced in the advisory. - Treat
.praisonbundles as untrusted input:- Avoid running
praisonai recipe unpackon bundles you did not build yourself or cannot validate. - Prefer isolated/unprivileged environments (throwaway containers / dedicated sandbox directories) for unpacking and inspection.
- Avoid running
- If you maintain an internal fork or downstream packaging, implement the advisory’s remediation for safe extraction:
"Replace the raw extraction loop with
_safe_extractall" - If you suspect exposure, review for unexpected file modifications outside the intended output directory around the time bundles were unpacked (e.g., shell init files, SSH keys, cron entries, and parent-directory project files).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.