Description
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractall(). An attacker can publish a malicious recipe bundle containing highly compressible data (e.g., 10GB of zeros compressing to ~10MB) that exhausts the victim's disk when pulled via LocalRegistry.pull() or HttpRegistry.pull(). This vulnerability is fixed in 4.5.128.
Published: 2026-04-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability is located in PraisonAI's recipe registry extraction routine. The _safe_extractall function validates archive members against path traversal attacks but does not check individual member sizes, cumulative extracted size, or member count before calling tar.extractall. An attacker can craft a recipe bundle containing highly compressible data that expands to tens of gigabytes during extraction, exhausting the victim’s disk space when pulled via LocalRegistry.pull or HttpRegistry.pull, and thereby causing a denial of service for the application and the host.

Affected Systems

MervinPraison PraisonAI releases prior to version 4.5.128 are affected. All versions before this release contain the flaw; the defect is corrected in 4.5.128, which removes the size‑limit oversight.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. No EPSS score is available and the issue is not listed in the CISA KEV catalog. Exploitation requires an authorized pull of a malicious recipe bundle from a registry that the user trusts, either local or via HTTP. The attack is straightforward: an attacker needs only to host or provide such a bundle and have it pulled; no authentication bypass or privilege escalation is required.

Generated by OpenCVE AI on April 9, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI to version 4.5.128 or later.
  • Restrict registry pulls to trusted sources and enforce size limits before extraction if an upgrade cannot be performed immediately.
  • Consider disabling automatic pulling of recipe bundles until the vulnerability is patched.

Generated by OpenCVE AI on April 9, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f2h6-7xfr-xm8w PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits
History

Fri, 17 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractall(). An attacker can publish a malicious recipe bundle containing highly compressible data (e.g., 10GB of zeros compressing to ~10MB) that exhausts the victim's disk when pulled via LocalRegistry.pull() or HttpRegistry.pull(). This vulnerability is fixed in 4.5.128.
Title PraisonAI Affected by Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits
Weaknesses CWE-409
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T20:39:49.494Z

Reserved: 2026-04-09T19:31:56.012Z

Link: CVE-2026-40148

cve-icon Vulnrichment

Updated: 2026-04-13T20:39:46.103Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T22:16:35.600

Modified: 2026-04-17T17:38:43.593

Link: CVE-2026-40148

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:52Z

Weaknesses