GHSA-vjv9-7m7j-h833: npm PraisonAI SandboxExecutor allowedCommands bypass via shell chaining
The published npm package praisonai exports SandboxExecutor, CommandValidator, and sandboxExec as “safe command execution with restrictions.” When allowedCommands is configured, CommandValidator checks only the first whitespace-delimited token of the command string. SandboxExecutor then passes the entire original string to spawn("sh", ["-c", command]).
With a policy that allows only echo, this direct command is correctly rejected:
cat /tmp/marker
but this chained command is accepted and executed:
echo allowed; cat /tmp/marker
The shell executes cat even though cat is not allowlisted. This bypasses the command allowlist and can execute arbitrary shell commands with the PraisonAI process privileges when an application, CLI workflow, or agent pipeline exposes sandbox command execution to lower-trust users, prompts, or model output.
The PoV is deterministic and local-only. It creates and reads only a temporary marker file.
References
Code Behaviors & Features
Detect and mitigate GHSA-vjv9-7m7j-h833 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →