Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
PraisonAI before 1.6.78 Path Traversal via config.toml
Vulnerability Description
PraisonAI (pip package praisonaiagents) before 1.6.78 automatically loads defaults from a project-local .praisonai/config.toml when constructing an Agent, and does not validate the defaults.output.output_file path. A repository-controlled config file can set output_file to an absolute or '..' traversal path; when the developer subsequently calls agent.start() without explicitly passing an output parameter, PraisonAI writes the agent response to that path (creating parent directories as needed), allowing an untrusted checked-out project to overwrite files outside the project root with the privileges of the user running PraisonAI.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Mervin Praison PraisonAI 路径遍历漏洞
Vulnerability Description
Mervin Praison PraisonAI是Mervin Praison个人开发者开源的一个低代码多智能体协作框架。 Mervin Praison PraisonAI 1.6.78之前版本存在路径遍历漏洞,该漏洞源于在构建Agent时自动从项目本地的.praisonai/config.toml加载默认值,且未验证defaults.output.output_file路径,允许仓库控制的配置文件设置绝对路径或“..”遍历路径,导致不受信任的检出项目可覆盖项目根目录外的文件。
CVSS Information
N/A
Vulnerability Type
N/A