PraisonAI's praisonaiagents prior to version 1.5.115 contains a sandbox escape vulnerability in the execute_code() function. The subprocess sandbox uses an AST-based blocklist to restrict certain attribute names, but this blocklist only covers 11 attributes, missing four critical attributes (__traceback__, tb_frame, f_back, and f_builtins) that enable frame traversal. By chaining these attributes through a caught exception, an attacker can access the real Python builtins dictionary within the subprocess wrapper frame. From there, the attacker can retrieve and invoke exec under a non-blocked variable name, effectively bypassing the sandbox's security controls and enabling arbitrary code execution. This vulnerability violates secure design principles (CWE-657) and improper restriction of operations within the sandbox (CWE-693). The issue is resolved in version 1.5.115.

Successful exploitation allows an attacker with limited privileges to bypass the sandbox restrictions and execute arbitrary Python code with the privileges of the subprocess. This leads to complete compromise of the affected system's confidentiality, integrity, and availability. The vulnerability has a CVSS v3.1 score of 10.0, reflecting its critical impact. There are no reports of known exploits in the wild at this time.

A fix for this vulnerability is available in praisonaiagents version 1.5.115. Users should upgrade to version 1.5.115 or later to remediate this issue. Patch status is not explicitly stated beyond the fixed version, so users should consult the vendor's official advisory or release notes for detailed remediation guidance. Until upgraded, users should consider restricting access to the vulnerable functionality or environment to trusted users only.