PraisonAI versions before 4.5.128 automatically import and execute a tools.py file found in the current working directory using importlib.util.spec_from_file_location and spec.loader.exec_module(), without explicit user consent, validation, or sandboxing. This implicit loading happens even if tools.py is not referenced in configuration files, enabling an attacker who can place a malicious tools.py file in the working directory to achieve arbitrary code execution immediately upon startup. This behavior breaches the security boundary between user-controlled project files and executable code. The issue is addressed in PraisonAI version 4.5.128.

An attacker able to place a malicious tools.py file in the working directory where PraisonAI is executed can achieve arbitrary code execution with the privileges of the user running the software. This can lead to full compromise of the affected system, including confidentiality, integrity, and availability impacts. The vulnerability is exploitable locally or via scenarios where an attacker can influence the working directory contents. No known exploits in the wild have been reported.

This vulnerability is fixed in PraisonAI version 4.5.128. Users should upgrade to version 4.5.128 or later to remediate this issue. Until upgrading, ensure that untrusted users cannot place files named tools.py in directories where PraisonAI is executed. Patch status is not explicitly stated beyond the fixed version; therefore, verify the vendor advisory for the latest remediation guidance.