The PraisonAI CLI is vulnerable to a critical OS command injection flaw, allowing attackers to execute arbitrary commands as the current user via a crafted --mcp argument.

The --mcp command-line argument is passed directly to shlex.split() and subsequently to anyio.open_process() without any validation or sanitization. This allows an attacker to inject shell commands that will be executed with the privileges of the user running the CLI tool.

This vulnerability could be used for local privilege escalation or as part of a larger exploit chain to achieve remote command execution if the CLI is called by a web service. The CVSS score of 9.8 underscores the critical risk of arbitrary command execution on the host machine.

Immediate Action: Update the PraisonAI CLI to version 4.5.69 or later to ensure all command-line arguments are properly sanitized.

Proactive Monitoring: Audit shell command history and process execution logs for suspicious use of the --mcp flag or unexpected child processes originating from the PraisonAI CLI.

Compensating Controls: Implement strict AppArmor or SELinux profiles for the CLI tool to restrict its ability to execute unauthorized system commands or access sensitive files.

Public Exploit Available: false

The direct passing of unsanitized user input to process execution functions is a high-risk practice. Administrators should update to version 4.5.69 immediately. We also recommend that developers use safer APIs for process execution that do not involve shell interpretation whenever possible.