PraisonAIAgents before version 1.5.128 contains an OS command injection vulnerability (CWE-78) due to improper neutralization of special elements in user-controlled command strings passed to subprocess.run() with shell=True. The vulnerability exists in the memory hooks executor component, specifically at src/praisonai-agents/praisonaiagents/memory/hooks.py. Two independent attack vectors exist: hooks registered via configuration events (pre_run_command and post_run_command) and lifecycle hooks defined in the .praisonai/hooks.json file. The latter allows an attacker with file-write access to persistently execute arbitrary shell commands during agent lifecycle events without user interaction. The vulnerability has a CVSS 4.0 score of 9.3, indicating critical severity. No official remediation level or patch link is provided in the data, but the issue is fixed in version 1.5.128.

Successful exploitation allows an attacker with limited privileges to execute arbitrary OS commands with the privileges of the PraisonAIAgents process. The most severe impact is persistent, silent command execution triggered automatically during agent lifecycle events via the .praisonai/hooks.json configuration. This can lead to full system compromise depending on the agent's privileges. The vulnerability does not require user interaction for the persistent attack vector and has high vector complexity and impact metrics per CVSS 4.0.

Upgrade PraisonAIAgents to version 1.5.128 or later, where this vulnerability is fixed. Since no official patch link or remediation level is provided beyond the version fix, users should verify the upgrade from the vendor's official sources. Until upgraded, restrict file-write access to the .praisonai/hooks.json file and avoid registering untrusted hooks. Monitor for unauthorized modifications to hook configurations. Patch status is not explicitly confirmed beyond the fixed version; check vendor advisories for current remediation guidance.