GHSA-gcq3-mfvh-3x25: PraisonAI Code agent tools fail open without a workspace boundary

PraisonAI Code’s agent-compatible CODE_TOOLS wrappers keep a global workspace root initialized to None. If an application uses CODE_TOOLS, code_read_file, code_search_replace, or code_apply_diff before calling set_workspace(), the wrappers pass workspace=None into lower-level helpers that only enforce path containment when a workspace is truthy. Absolute paths outside the intended project workspace are then read and modified.

The official examples correctly call set_workspace() before CODE_TOOLS, and this report does not claim configured workspaces are ineffective. The issue is the fail-open default. PraisonAI’s security documentation describes workspace boundaries as the path-traversal protection mechanism, and the already-published Python API arbitrary file write advisory (GHSA-hvhp-v2gc-268q) was fixed by defaulting an unset workspace to os.getcwd(). The adjacent read and edit paths reached through CODE_TOOLS still fail open.