Summary
PraisonAI's Dynamic Context module provides filesystem-backed history and terminal-log storage. The SDK reference describes the module as providing:
- artifact storage for tool outputs, history, and terminal logs;
- history persistence with search; and
- terminal session logging.
The module also exports agent-callable tool factories:
create_history_tools() returns history_search, history_tail, and history_get.
create_terminal_tools() returns terminal_tail, terminal_grep, and terminal_commands.
Those tools accept run_id and agent_id arguments from the tool caller. The underlying stores join those values into filesystem paths without rejecting absolute paths or .. traversal:
history_dir = self.base_dir / run_id / "history"
return history_dir / f"{agent_id}.jsonl"
terminal_dir = self.base_dir / run_id / "terminal"
return terminal_dir / f"{agent_id}.log"
Because run_id can be an absolute path and agent_id can contain traversal, a lower-trust prompt/user that can call these tools can read .jsonl and .log files outside the configured Dynamic Context base directory.
Technical Details
HistoryStore._get_history_path() and TerminalLogger._get_log_path() treat logical identifiers as path segments, but never validate that the resolved path stays under base_dir.
History path construction:
def _get_history_path(self, run_id: str, agent_id: str) -> Path:
history_dir = self.base_dir / run_id / "history"
history_dir.mkdir(parents=True, exist_ok=True)
return history_dir / f"{agent_id}.jsonl"
Terminal path construction:
def _get_log_path(self, run_id: str, agent_id: str) -> Path:
terminal_dir = self.base_dir / run_id / "terminal"
terminal_dir.mkdir(parents=True, exist_ok=True)
return terminal_dir / f"{agent_id}.log"
The agent tools pass caller-controlled run_id and agent_id directly into these helpers:
def history_tail(agent_id: str = "default", run_id: str = "default", count: int = 10) -> str:
messages = history_store.get_last_messages(agent_id=agent_id, run_id=run_id, count=count)
def terminal_tail(agent_id: str = "default", run_id: str = "default", lines: int = 50) -> str:
return term_logger.tail_session(agent_id=agent_id, run_id=run_id, lines=lines)
There is no check equivalent to:
resolved = candidate.resolve()
base = self.base_dir.resolve()
resolved.relative_to(base)
There is also no identifier allowlist preventing /, \, or .. in run_id or agent_id.
Why This Is Not Intended Behavior
This report does not claim that history and terminal helpers should be unable to read legitimate history or terminal logs. The issue is narrower: logical run_id and agent_id values can escape the configured Dynamic Context base directory.
The controls show the intended boundary:
- legitimate in-base history remains readable;
- legitimate in-base terminal logs remain readable;
- the outside
.jsonl and .log files are not under the configured base_dir; and
- the tools still disclose those outside files through traversal identifiers.
The official context reference describes history persistence and terminal logging as filesystem-backed Dynamic Context features. The context security documentation also treats absolute paths, path traversal, and sensitive files as privacy/security risks. Reading files outside the configured context store conflicts with that documented boundary.
PoV
Run against the latest PyPI package:
uv run --with 'praisonai==4.6.58' \
python poc/pov_poc.py --json
The PoV:
- Creates a temporary Dynamic Context base directory.
- Creates a separate outside directory containing
secret.jsonl and secret.log.
- Creates legitimate in-base history and terminal log controls.
- Calls
history_tail() and history_get() with run_id=<outside-dir> and agent_id=../secret.
- Calls
terminal_tail() and terminal_grep() with the same traversal.
- Confirms the traversal paths resolve to files outside the configured base.
Observed output summary from evidence/pov-pypi-4.6.58.json:
{
"package": "praisonai",
"package_version": "4.6.58",
"controls": {
"valid_history_read_works": true,
"valid_terminal_read_works": true,
"outside_history_file_outside_base_dir": true,
"outside_terminal_file_outside_base_dir": true,
"traversal_history_path_resolves_to_outside_file": true,
"traversal_terminal_path_resolves_to_outside_file": true
},
"outside_history_tail": "Last 1 messages:\\n\\n[system]: poc",
"outside_terminal_tail": "poc\\nsecond line\\n",
"outside_terminal_grep": "Found 1 matches:\\n\\n--- Line 1 ---\\n> poc\\n second line",
"vulnerable": true
}
The PoV is local-only. It does not start a server, contact a third-party target, or use real credentials.
PoC
The PoV section above contains the local reproduction command, input, and decisive output.
Impact
If a PraisonAI application exposes these Dynamic Context tools to untrusted or lower-trust prompts, the lower-trust caller can read files outside the configured context storage when the target file can be reached with the tool-imposed suffix:
history_* tools can disclose reachable .jsonl files;
terminal_* tools can disclose reachable .log files; and
- cross-run or cross-agent context/history/logs can be disclosed if their path is known or guessable.
This can expose conversation history, prompts, terminal output, command logs, tokens, API keys, cloud credentials, operational data, or other secrets stored in JSONL/log files readable by the PraisonAI process.
The impact is confidentiality-only in the tested surface. Integrity and availability are not claimed for this report.
Severity
Suggested severity: High.
Suggested CVSS v3.1:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Rationale:
AV:N: applies when an application exposes an agent with these tools over a network chat/API surface.
AC:L: the traversal needs only chosen run_id and agent_id values.
PR:N: an unauthenticated or public-facing agent endpoint can be exploited without an account. Deployments that require authenticated chat/API access may score this as PR:L.
UI:N: the attacker directly supplies the prompt/tool argument to the exposed agent surface.
C:H: conversation history and terminal logs can contain secrets and private operational data.
I:N/A:N: this report demonstrates read-only disclosure.
Suggested Fix
Treat run_id and agent_id as logical identifiers, not path components.
Recommended fixes:
- Reject absolute paths, path separators, and traversal components in
run_id and agent_id.
- Build candidate paths, call
.resolve(), and reject any path that is not under self.base_dir.resolve().
- Apply the same containment helper to history append/read/search/clear/export and terminal log/read/search/clear/export paths.
- Prefer opaque server-generated run and agent IDs in tool schemas.
- Add regression tests for absolute
run_id, ../ in run_id, and ../ in agent_id for history and terminal tool factories.
Minimal containment shape:
def _safe_child(self, *parts: str) -> Path:
candidate = self.base_dir.joinpath(*parts).resolve()
base = self.base_dir.resolve()
try:
candidate.relative_to(base)
except ValueError as exc:
raise PermissionError("Context path is outside configured base_dir") from exc
return candidate
Pair this with an identifier allowlist, because run_id and agent_id should not need filesystem syntax.
Affected Package/Versions
- Repository:
MervinPraison/PraisonAI
- Ecosystem:
pip
- Package:
praisonai
- Component: Dynamic Context history and terminal tools
- Current source paths:
src/praisonai/praisonai/context/history_store.py
src/praisonai/praisonai/context/terminal_logger.py
- Latest PyPI version validated:
4.6.58
- Current
origin/main validated: 1ad58ca02975ff1398efeda694ea2ab78f20cf3e
- Current
origin/main tag validated: v4.6.58
Suggested affected range:
pip:praisonai >= 3.8.1, <= 4.6.58
Representative local sweep:
3.8.1: vulnerable
4.0.0: vulnerable
4.5.113: vulnerable
4.6.33: vulnerable
4.6.34: vulnerable
4.6.40: vulnerable
4.6.50: vulnerable
4.6.58: vulnerable
Advisory History
Visible PraisonAI advisories and prior submissions were checked. This is distinct from nearby reports:
GHSA-j7qx-p75m-wp7g / poc covers Dynamic Context artifact helpers that accept raw artifact_path values. This report covers separate history and terminal tools that derive paths from run_id and agent_id.
GHSA-766v-q9x3-g744 covers praisonaiagents <= 1.5.114 example MultiAgentLedger / MultiAgentMonitor code. This report affects current pip:praisonai Dynamic Context HistoryStore and TerminalLogger tool factories.
GHSA-9cr9-25q5-8prj covers MCP CLI workflow.show, workflow.validate, and deploy.validate arbitrary file reads.
GHSA-grrg-5cg9-58pf covers read_skill_file() workspace-boundary bypass.
GHSA-693f-pf34-72c5 and GHSA-7j2f-xc8p-fjmq cover file-tool path traversal surfaces, not Dynamic Context history/terminal tools.
Prior reports do not cover history_search, history_tail, history_get, terminal_tail, terminal_grep, terminal_commands, HistoryStore._get_history_path(), or TerminalLogger._get_log_path().
References
- PraisonAI context module reference:
https://docs.praison.ai/docs/sdk/reference/praisonai/modules/context
- PraisonAI Dynamic Context Discovery:
https://docs.praison.ai/docs/features/dynamic-context-discovery
- PraisonAI Context Security & Redaction:
https://docs.praison.ai/docs/features/context-security-redaction https://github.com/MervinPraison/PraisonAI/security/policy
- PraisonAI GitHub advisories:
https://github.com/MervinPraison/PraisonAI/security/advisories
- Related but distinct prior advisory:
https://github.com/advisories/GHSA-766v-q9x3-g744
- MITRE CWE-22:
https://cwe.mitre.org/data/definitions/22.html
- MITRE CWE-200:
https://cwe.mitre.org/data/definitions/200.html
- FIRST CVSS v3.1 calculator:
https://www.first.org/cvss/calculator/3.1
Summary
PraisonAI's Dynamic Context module provides filesystem-backed history and terminal-log storage. The SDK reference describes the module as providing:
The module also exports agent-callable tool factories:
create_history_tools()returnshistory_search,history_tail, andhistory_get.create_terminal_tools()returnsterminal_tail,terminal_grep, andterminal_commands.Those tools accept
run_idandagent_idarguments from the tool caller. The underlying stores join those values into filesystem paths without rejecting absolute paths or..traversal:Because
run_idcan be an absolute path andagent_idcan contain traversal, a lower-trust prompt/user that can call these tools can read.jsonland.logfiles outside the configured Dynamic Context base directory.Technical Details
HistoryStore._get_history_path()andTerminalLogger._get_log_path()treat logical identifiers as path segments, but never validate that the resolved path stays underbase_dir.History path construction:
Terminal path construction:
The agent tools pass caller-controlled
run_idandagent_iddirectly into these helpers:There is no check equivalent to:
There is also no identifier allowlist preventing
/,\, or..inrun_idoragent_id.Why This Is Not Intended Behavior
This report does not claim that history and terminal helpers should be unable to read legitimate history or terminal logs. The issue is narrower: logical
run_idandagent_idvalues can escape the configured Dynamic Context base directory.The controls show the intended boundary:
.jsonland.logfiles are not under the configuredbase_dir; andThe official context reference describes history persistence and terminal logging as filesystem-backed Dynamic Context features. The context security documentation also treats absolute paths, path traversal, and sensitive files as privacy/security risks. Reading files outside the configured context store conflicts with that documented boundary.
PoV
Run against the latest PyPI package:
uv run --with 'praisonai==4.6.58' \ python poc/pov_poc.py --jsonThe PoV:
secret.jsonlandsecret.log.history_tail()andhistory_get()withrun_id=<outside-dir>andagent_id=../secret.terminal_tail()andterminal_grep()with the same traversal.Observed output summary from
evidence/pov-pypi-4.6.58.json:{ "package": "praisonai", "package_version": "4.6.58", "controls": { "valid_history_read_works": true, "valid_terminal_read_works": true, "outside_history_file_outside_base_dir": true, "outside_terminal_file_outside_base_dir": true, "traversal_history_path_resolves_to_outside_file": true, "traversal_terminal_path_resolves_to_outside_file": true }, "outside_history_tail": "Last 1 messages:\\n\\n[system]: poc", "outside_terminal_tail": "poc\\nsecond line\\n", "outside_terminal_grep": "Found 1 matches:\\n\\n--- Line 1 ---\\n> poc\\n second line", "vulnerable": true }The PoV is local-only. It does not start a server, contact a third-party target, or use real credentials.
PoC
The PoV section above contains the local reproduction command, input, and decisive output.
Impact
If a PraisonAI application exposes these Dynamic Context tools to untrusted or lower-trust prompts, the lower-trust caller can read files outside the configured context storage when the target file can be reached with the tool-imposed suffix:
history_*tools can disclose reachable.jsonlfiles;terminal_*tools can disclose reachable.logfiles; andThis can expose conversation history, prompts, terminal output, command logs, tokens, API keys, cloud credentials, operational data, or other secrets stored in JSONL/log files readable by the PraisonAI process.
The impact is confidentiality-only in the tested surface. Integrity and availability are not claimed for this report.
Severity
Suggested severity: High.
Suggested CVSS v3.1:
Rationale:
AV:N: applies when an application exposes an agent with these tools over a network chat/API surface.AC:L: the traversal needs only chosenrun_idandagent_idvalues.PR:N: an unauthenticated or public-facing agent endpoint can be exploited without an account. Deployments that require authenticated chat/API access may score this asPR:L.UI:N: the attacker directly supplies the prompt/tool argument to the exposed agent surface.C:H: conversation history and terminal logs can contain secrets and private operational data.I:N/A:N: this report demonstrates read-only disclosure.Suggested Fix
Treat
run_idandagent_idas logical identifiers, not path components.Recommended fixes:
run_idandagent_id..resolve(), and reject any path that is not underself.base_dir.resolve().run_id,../inrun_id, and../inagent_idfor history and terminal tool factories.Minimal containment shape:
Pair this with an identifier allowlist, because
run_idandagent_idshould not need filesystem syntax.Affected Package/Versions
MervinPraison/PraisonAIpippraisonaisrc/praisonai/praisonai/context/history_store.pysrc/praisonai/praisonai/context/terminal_logger.py4.6.58origin/mainvalidated:1ad58ca02975ff1398efeda694ea2ab78f20cf3eorigin/maintag validated:v4.6.58Suggested affected range:
Representative local sweep:
3.8.1: vulnerable4.0.0: vulnerable4.5.113: vulnerable4.6.33: vulnerable4.6.34: vulnerable4.6.40: vulnerable4.6.50: vulnerable4.6.58: vulnerableAdvisory History
Visible PraisonAI advisories and prior submissions were checked. This is distinct from nearby reports:
GHSA-j7qx-p75m-wp7g/ poc covers Dynamic Context artifact helpers that accept rawartifact_pathvalues. This report covers separate history and terminal tools that derive paths fromrun_idandagent_id.GHSA-766v-q9x3-g744coverspraisonaiagents <= 1.5.114exampleMultiAgentLedger/MultiAgentMonitorcode. This report affects currentpip:praisonaiDynamic ContextHistoryStoreandTerminalLoggertool factories.GHSA-9cr9-25q5-8prjcovers MCP CLIworkflow.show,workflow.validate, anddeploy.validatearbitrary file reads.GHSA-grrg-5cg9-58pfcoversread_skill_file()workspace-boundary bypass.GHSA-693f-pf34-72c5andGHSA-7j2f-xc8p-fjmqcover file-tool path traversal surfaces, not Dynamic Context history/terminal tools.Prior reports do not cover
history_search,history_tail,history_get,terminal_tail,terminal_grep,terminal_commands,HistoryStore._get_history_path(), orTerminalLogger._get_log_path().References
https://docs.praison.ai/docs/sdk/reference/praisonai/modules/contexthttps://docs.praison.ai/docs/features/dynamic-context-discoveryhttps://docs.praison.ai/docs/features/context-security-redactionhttps://github.com/MervinPraison/PraisonAI/security/policyhttps://github.com/MervinPraison/PraisonAI/security/advisorieshttps://github.com/advisories/GHSA-766v-q9x3-g744https://cwe.mitre.org/data/definitions/22.htmlhttps://cwe.mitre.org/data/definitions/200.htmlhttps://www.first.org/cvss/calculator/3.1