OS Command Injection in PraisonAI --mcp Argument

Successful exploitation can lead to complete compromise of the host running PraisonAI within the privilege boundary of the PraisonAI process. An attacker can execute arbitrary commands, read files, access environment variables and process-accessible memory, exfiltrate sensitive data such as API keys and database credentials, modify configuration, install persistent backdoors, and terminate critical processes. The vulnerability has high impact on confidentiality, integrity, and availability. In containerized deployments, it may also provide a foothold for subsequent container escape attempts or lateral movement.

If immediate patching is not possible, prevent untrusted users or remote inputs from controlling the --mcp CLI argument or any upstream mechanism that populates it. Restrict access to interfaces that can launch or influence PraisonAI process invocation, enforce strict allowlisting of permitted MCP values, and run PraisonAI with the least privileges possible. Additional mitigations include isolating the service in a hardened container or sandbox, limiting filesystem and network access, monitoring for anomalous child-process creation, and removing sensitive secrets from the process environment where feasible.

Upgrade PraisonAI to version 4.5.69 or later, which patches the vulnerable handling of the --mcp argument. Review the referenced fixing commit and security advisory to validate the exact code changes and ensure all deployments are updated. After patching, rotate any secrets that may have been exposed to the PraisonAI process, including API keys, tokens, and database credentials, and inspect affected hosts for signs of unauthorized command execution or persistence.