Technologyglobal✓ verified · 90%

npm PraisonAI codeMode sandbox escape via Function constructor

Name: npm PraisonAI codeMode sandbox escape via Function constructor
Start: 2026-06-18T14:26:32Z
Location: Global (internet)

When: 2026-06-18 14:26 UTC
Where: Global (internet)
Category: cyber_advisory · npm

## Summary The published npm package `praisonai` exports a TypeScript built-in tool named `codeMode`. The package describes this tool as executing code in a sandboxed environment, marks its capability as `sandbox: true`, and registers it through the public tools facade. The implementation does not create an isolation boundary. It applies a small regular-expression blocklist, sets `process` and `require` to `undefined` inside a plain JavaScript object, and then executes attacker-controlled code with the host process `new Function` constructor: ```text const fn = new Function('sandbox', `with (sandbox) { ${code} }`); const result = fn(sandbox); ``` Because this runs in the host V8 context, code inside `codeMode` can use the JavaScript prototype chain to recover the real `Function` constructor: ```text ({}).constructor.constructor('return process')() ``` From a normal CommonJS application script, the recovered `process` object exposes `process.mainModule.require`. That bypasses the explicit `require('fs')` and `require('child_process')` controls and allows host filesystem access and subprocess execution from code that was supposed to be sandboxed. ## Technical Details Current-head source says `codeMode` is a built-in package tool and explicitly advertises a sandbox boundary: ```text src/praisonai-ts/src/tools/builtins/code-mode.ts 13: description: 'Execute code that can import and use other tools in a sandboxed environment', 24: capabilities: { 25: sandbox: true, 26: code: true, 28: packageName: 'praisonai', 85: description: 'Execute code in a sandboxed environment with access to imported tools. Write files, run code, and get results.', ``` The same file implements security as a blocklist of exact source-code patterns: ```text src/praisonai-ts/src/tools/builtins/code-mode.ts 108: const blockedPatterns = [ 109: /require\s*$\s*['"]child_process['"]\s*$/, 110: /require\s*$\s*['"]fs['"]\s*$/, 111: /import\s+.*from\s+['"]child_process['"]/, 112: /process\.exit/, 113: /eval\s*\(/, ``` It then tries to hide dangerous globals by shadowing names in a normal object: ```text src/praisonai-ts/src/tools/builtins/code-mode.ts 168: process: undefined, 169: require: undefined, ``` Finally, it executes the untrusted code in the host process using `new Function` and `with (sandbox)`: ```text src/praisonai-ts/src/tools/builtins/code-mode.ts 187: const fn = new Function( 188: 'sandbox', 189: `with (sandbox) { ${code} }` 190: ); 191: const result = fn(sandbox); ``` This is not a sandbox. `new Function` does not create a separate security context, and variable shadowing does not remove access to constructors reachable through normal JavaScript objects. The tool is reachable through the public npm SDK: ```text src/praisonai-ts/src/index.ts 117: airweaveSearch, codeMode, src/praisonai-ts/src/tools/tools.ts 104: // Code Mode 105: registry.register(CODE_MODE_METADATA, createCodeModeTool as ToolFactory); 167: // Code Mode 168: codeMode: (config?: CodeModeConfig) => codeMode(config), ``` ### Why This Is Not Intended Behavior This is not merely "the user can execute code because codeMode executes code." The vulnerability is that code which is explicitly described and exposed as sandboxed can escape the intended restrictions. The implementation itself proves an intended security boundary exists: - `CODE_MODE_METADATA.capabilities.sandbox` is `true`; - the tool description says it executes in a sandboxed environment; - direct access to `fs` and `child_process` is explicitly blocked; - `process` and `require` are explicitly shadowed as `undefined`; - `allowNetwork` defaults to `false`; and - the config includes security-relevant controls such as `blockedTools`, `allowedPaths`, `timeoutMs`, and `maxMemoryMb`. The PoV shows those intended restrictions work for naive payloads but fail for a standard JavaScript prototype-chain escape. PraisonAI's official JavaScript and TypeScript docs describe the npm package as a production-ready agent framework installed with `npm install praisonai`. Public PraisonAI advisories rate comparable Python sandbox escapes as Critical when user/LLM-supplied code crosses from a claimed sandbox into host execution. ## PoV The PoV installs a published npm package version into a temporary project and runs from a real CommonJS script file. Running from a file is important because normal Node applications expose `process.mainModule.require`; `node -e` or stdin do not always reproduce that deployment shape. Run from a local reproduction checkout: ```fish node poc/pov_poc.js 1.7.1 ``` Observed result: ```json { "package": "praisonai", "version": "1.7.1", "codeModeExported": true, "directRequireFsControl": { "stderr": "Blocked pattern detected: require\\s*\$\\s*['\"]fs['\"]\\s*\$", "exitCode": 1, "success": false, "error": "Code contains blocked patterns for security" }, "directChildProcessControl": { "stderr": "Blocked pattern detected: require\\s*\$\\s*['\"]child_process['\"]\\s*\$", "exitCode": 1, "success": false, "error": "Code contains blocked patterns for security" }, "escapedProcessEnv": { "output": "poc", "exitCode": 0, "success": true }, "escapedFilesystem": { "output": "fs-ok", "exitCode": 0, "success": true }, "escapedCommand": { "output": "poc", "exitCode": 0, "success": true } } ``` Interpretation: - direct `require('fs')` is blocked; - direct `require('child_process')` is blocked; - the Function-constructor payload recovers host `process`; - the escaped process reads a host environment variable; - the escaped process imports `fs`; and - the escaped process imports `child_process` and runs a harmless `printf`. The PoV does not contact any LLM provider or external service after npm package installation. It does not modify host files or execute a destructive command. ## PoC The PoV section above contains the local reproduction command, input, and decisive output. ## Impact An attacker who can supply code to `codeMode` can escape the advertised sandbox and execute with the privileges of the Node.js PraisonAI process. Realistic entry points include: - an application that exposes `codeMode` as an agent tool to end users; - an LLM/tool-call flow where prompt-controlled content reaches the `code` parameter; - MCP or tool-registry integrations that make the built-in `codeMode` tool callable; or - any multi-tenant service that relies on `codeMode` to safely run user or model-generated JavaScript. Impact after escape includes: - reading process environment variables, including API keys and service tokens; - reading files available to the Node process; - spawning subprocesses with `child_process`; - writing or modifying files through host filesystem APIs; and - terminating or resource-exhausting the host process. ### Severity Suggested severity: Critical. Rationale: - `AV`: `codeMode` is a designated agent/tool surface and can be reached over the network in standard agent applications that expose tool calls to users or LLM-controlled workflows. - `AC`: a single code payload is enough. - `PR`: the attacker needs the ability to submit code or prompt-controlled content to an agent/tool flow. - `UI`: no additional user interaction is required once the tool is invoked. - `S`: execution crosses from the advertised sandbox security scope into the host Node.js process. - `C`: host files and environment variables are readable. - `I`: host subprocess and filesystem APIs are reachable. - `A`: escaped code can terminate processes or consume host resources. ## Suggested Fix Do not use host-process `new Function` plus source-code blocklists as a sandbox. Recommended fix direction: 1. Disable or clearly mark npm `codeMode` as unsafe until a real isolation boundary exists. 2. Execute untrusted code in a separate OS process, container, worker isolate, or similar bou

Sources

GitHub Advisory Database ↗ · first seen 2026-06-18 14:26 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map