PraisonAI's recipe registry publish endpoint improperly limits pathname traversal by writing uploaded recipe bundles to filesystem paths based on the bundle's internal manifest.json before validating the manifest name and version against the HTTP route. This allows an attacker to include '../' sequences in the manifest, causing arbitrary file writes outside the configured registry root directory on the registry host. Although the request is rejected with HTTP 400, the file write occurs prior to this validation. The vulnerability affects versions prior to 1.5.113 and requires either no token authentication or publish access with a token. This is a CWE-22 path traversal vulnerability with a CVSS 3.1 score of 7.1 (high severity).

An attacker with network access to the recipe registry publish endpoint can cause arbitrary files to be written outside the intended directory on the registry host. This can lead to unauthorized modification of files, potentially impacting the integrity of the system. The vulnerability does not allow confidentiality compromise but has a high impact on integrity and a low impact on availability. Exploitation requires either no token authentication or publish access if a token is configured.

This vulnerability is fixed in PraisonAI version 1.5.113. Users should upgrade to version 1.5.113 or later to remediate this issue. Until upgraded, deployments should ensure that the recipe registry publish endpoint is not exposed to untrusted networks and that token authentication is enforced to restrict publish access. Patch status is not explicitly confirmed in the vendor advisory, but the fix is stated to be included in version 1.5.113.