Skip to content

PraisonAI has Memory State Leakage and Path Traversal in MultiAgent Context Handling

Moderate severity GitHub Reviewed Published Apr 7, 2026 in MervinPraison/PraisonAI • Updated Apr 9, 2026

Package

pip praisonaiagents (pip)

Affected versions

<= 1.5.114

Patched versions

1.5.115

Description

Summary

The MultiAgentLedger and MultiAgentMonitor components in the provided code exhibit vulnerabilities that can lead to context leakage and arbitrary file operations. Specifically:

  1. Memory State Leakage via Agent ID Collision: The MultiAgentLedger uses a dictionary to store ledgers by agent ID without enforcing uniqueness. This allows agents with the same ID to share ledger instances, leading to potential leakage of sensitive context data.
  2. Path Traversal in MultiAgentMonitor: The MultiAgentMonitor constructs file paths by concatenating the base_path and agent ID without sanitization. This allows an attacker to escape the intended directory using path traversal sequences (e.g., ../), potentially leading to arbitrary file read/write.

Details

Vulnerability 1: Memory State Leakage

  • File: examples/context/12_multi_agent_context.py:68
  • Description: The MultiAgentLedger class uses a dictionary (self.ledgers) to store ledger instances keyed by agent ID. The get_agent_ledger method creates a new ledger only if the agent ID is not present. If two agents are registered with the same ID, they will share the same ledger instance. This violates the isolation policy and can lead to leakage of sensitive context data (system prompts, conversation history) between agents.
  • Exploitability: An attacker can register an agent with the same ID as a victim agent to gain access to their ledger. This is particularly dangerous in multi-tenant systems where agents may handle sensitive user data.

Vulnerability 2: Path Traversal

  • File: examples/context/12_multi_agent_context.py:106
  • Description: The MultiAgentMonitor class constructs file paths for agent monitors by directly concatenating the base_path and agent ID. Since the agent ID is not sanitized, an attacker can provide an ID containing path traversal sequences (e.g., ../../malicious). This can result in files being created or read outside the intended directory (base_path).
  • Exploitability: An attacker can create an agent with a malicious ID (e.g., ../../etc/passwd) to write or read arbitrary files on the system, potentially leading to information disclosure or file corruption.

PoC

Memory State Leakage

multi_ledger = MultiAgentLedger()

# Victim agent (user1) registers and tracks sensitive data
victim_ledger = multi_ledger.get_agent_ledger('user1_agent')
victim_ledger.track_system_prompt("Sensitive system prompt")
victim_ledger.track_history([{"role": "user", "content": "Secret data"}])

# Attacker registers with the same ID
attacker_ledger = multi_ledger.get_agent_ledger('user1_agent')

# Attacker now has access to victim's ledger
print(attacker_ledger.get_ledger().system_prompt)  # Outputs: "Sensitive system prompt"
print(attacker_ledger.get_ledger().history)        # Outputs: [{'role': 'user', 'content': 'Secret data'}]

Path Traversal

with tempfile.TemporaryDirectory() as tmpdir:
    multi_monitor = MultiAgentMonitor(base_path=tmpdir)
    
    # Create agent with malicious ID
    malicious_id = '../../malicious'
    monitor = multi_monitor.get_agent_monitor(malicious_id)
    
    # The monitor file is created outside the intended base_path
    # Example: if tmpdir is '/tmp/safe_dir', the actual path might be '/tmp/malicious'
    print(monitor.path)  # Outputs: '/tmp/malicious' (or equivalent)

Impact

  • Memory State Leakage: This vulnerability can lead to unauthorized access to sensitive agent context, including system prompts and conversation history. In a multi-tenant system, this could result in cross-user data leakage.
  • Path Traversal: An attacker can read or write arbitrary files on the system, potentially leading to information disclosure, denial of service (by overwriting critical files), or remote code execution (if executable files are overwritten).

Recommended Fix

For Memory State Leakage

  • Enforce unique agent IDs at the application level. If the application expects unique IDs, add a check during agent registration to prevent duplicates.
  • Alternatively, modify the MultiAgentLedger to throw an exception if an existing agent ID is reused (unless explicitly allowed).

For Path Traversal

  • Sanitize agent IDs before using them in file paths. Replace any non-alphanumeric characters (except safe ones like underscores) or remove path traversal sequences.
  • Use os.path.join and os.path.realpath to resolve paths, then check that the resolved path starts with the intended base directory.

Example fix for MultiAgentMonitor:

import os

def get_agent_monitor(self, agent_id: str):
    # Sanitize agent_id to remove path traversal
    safe_id = os.path.basename(agent_id.replace('../', '').replace('..\\', ''))
    # Alternatively, use a strict allow-list of characters
    
    # Construct path and ensure it's within base_path
    agent_path = os.path.join(self.base_path, safe_id)
    real_path = os.path.realpath(agent_path)
    real_base = os.path.realpath(self.base_path)
    
    if not real_path.startswith(real_base):
        raise ValueError(f"Invalid agent ID: {agent_id}")
    
    ...

Additionally, consider using a dedicated function for sanitizing filenames.

References

@MervinPraison MervinPraison published to MervinPraison/PraisonAI Apr 7, 2026
Published to the GitHub Advisory Database Apr 8, 2026
Reviewed Apr 8, 2026
Last updated Apr 9, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS score

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-766v-q9x3-g744

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.