PraisonAI agents are vulnerable to a critical sandbox bypass that allows unauthenticated attackers to achieve arbitrary OS command execution on the host system.

The execute_code() function in the praisonai-agents package uses a flawed three-layer sandbox. By passing a string subclass with an overridden startswith() method to the _safe_getattr wrapper, an attacker can bypass all restrictions and execute arbitrary Python and OS commands.

A successful exploit grants the attacker full control over the host system running the AI agents. With a CVSS score of 10.0, this is the most severe type of vulnerability, potentially leading to full data exfiltration, malware installation, and complete infrastructure compromise.

Immediate Action: Update the praisonai-agents package to version 1.5.90 or later immediately to fix the sandbox bypass logic.

Proactive Monitoring: Audit system logs for unusual process spawning from the AI agent service and monitor for unauthorized network connections initiated by the host.

Compensating Controls: Run AI agents in highly isolated environments, such as dedicated virtual machines or hardened containers with minimal privileges and no access to sensitive host resources.

Public Exploit Available: false

A CVSS 10.0 vulnerability requires immediate emergency response. The sandbox intended to protect the host from untrusted code is completely ineffective. Organizations must update to version 1.5.90 immediately and should consider the underlying host compromised if the service was exposed to untrusted inputs.