CWE-653
AllowedImproper Isolation or Compartmentalization
Abstraction: Class · Status: Draft
The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.
101 vulnerabilities reference this CWE, most recent first.
GHSA-G2F8-6MGF-93J8
Vulnerability from github – Published: 2025-01-23 03:30 – Updated: 2025-01-23 15:31lunasvg v3.0.0 was discovered to contain a segmentation violation via the component plutovg_blend.
{
"affected": [],
"aliases": [
"CVE-2024-57720"
],
"database_specific": {
"cwe_ids": [
"CWE-653"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-23T01:15:26Z",
"severity": "MODERATE"
},
"details": "lunasvg v3.0.0 was discovered to contain a segmentation violation via the component plutovg_blend.",
"id": "GHSA-g2f8-6mgf-93j8",
"modified": "2025-01-23T15:31:05Z",
"published": "2025-01-23T03:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57720"
},
{
"type": "WEB",
"url": "https://github.com/sammycage/lunasvg/issues/209"
},
{
"type": "WEB",
"url": "https://github.com/keepinggg/poc/blob/main/poc_of_lunasvg_3.1.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GPRR-V9F2-PX3C
Vulnerability from github – Published: 2025-03-11 18:32 – Updated: 2025-03-11 20:19Improper isolation or compartmentalization in Azure PromptFlow allows an unauthorized attacker to execute code over a network.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "promptflow-tools"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "promptflow-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24986"
],
"database_specific": {
"cwe_ids": [
"CWE-653"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-11T20:19:55Z",
"nvd_published_at": "2025-03-11T17:16:34Z",
"severity": "MODERATE"
},
"details": "Improper isolation or compartmentalization in Azure PromptFlow allows an unauthorized attacker to execute code over a network.",
"id": "GHSA-gprr-v9f2-px3c",
"modified": "2025-03-11T20:19:56Z",
"published": "2025-03-11T18:32:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24986"
},
{
"type": "WEB",
"url": "https://github.com/microsoft/promptflow/commit/5f4a41ab4cb15607ade7f26138b0b863b4e4eb0a"
},
{
"type": "WEB",
"url": "https://github.com/microsoft/promptflow/commit/625061724c51533d28fe6e0e3014b1042afdb07f"
},
{
"type": "PACKAGE",
"url": "https://github.com/microsoft/promptflow"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24986"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Azure PromptFlow remote code execution related to Jinja templates"
}
GHSA-GQ6J-MR3Q-JV97
Vulnerability from github – Published: 2025-11-18 18:32 – Updated: 2025-11-18 18:32An Improper Isolation or Compartmentalization vulnerability [CWE-653] in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to evade the sandboxing scan via a crafted file.
{
"affected": [],
"aliases": [
"CVE-2025-46215"
],
"database_specific": {
"cwe_ids": [
"CWE-653"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T17:16:01Z",
"severity": "MODERATE"
},
"details": "An Improper Isolation or Compartmentalization vulnerability [CWE-653] in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to evade the sandboxing scan via a crafted file.",
"id": "GHSA-gq6j-mr3q-jv97",
"modified": "2025-11-18T18:32:53Z",
"published": "2025-11-18T18:32:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46215"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-501"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GQ7G-VG2Q-JVQ3
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-06-30 17:18Improper Isolation or Compartmentalization vulnerability in Apache Syncope.
An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer.
This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.
Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.syncope.core:syncope-core-spring"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-M0"
},
{
"last_affected": "3.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.syncope.core:syncope-core-spring"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-M0"
},
{
"fixed": "4.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.syncope.core:syncope-core-spring"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0-M0"
},
{
"fixed": "4.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42782"
],
"database_specific": {
"cwe_ids": [
"CWE-653"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T17:18:21Z",
"nvd_published_at": "2026-05-25T16:16:19Z",
"severity": "HIGH"
},
"details": "Improper Isolation or Compartmentalization vulnerability in Apache Syncope.\n\nAn administrator with adequate entitlements for Implementations can create a malicious Groovy class containing\u00a0untrusted code reaching a non-sandboxed execution path via the class static initializer.\n\nThis issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.\n\nUsers are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.",
"id": "GHSA-gq7g-vg2q-jvq3",
"modified": "2026-06-30T17:18:21Z",
"published": "2026-05-26T13:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42782"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/b869ms0ofrd129f7tgsn9flxgv9ztg2r"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/25/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Syncope has an Improper Isolation or Compartmentalization vulnerability"
}
GHSA-GQMF-56H7-RRPF
Vulnerability from github – Published: 2026-06-18 14:26 – Updated: 2026-06-18 14:26Summary
The published npm package praisonai exports a TypeScript SandboxExecutor with a network-isolated mode. The CLI lists that mode as:
network-isolated No network access (proxy blocked)
The implementation does not create a network namespace, firewall rule, socket filter, or proxy-enforced execution boundary. It only injects proxy environment variables into the child process:
http_proxy: 'http://localhost:0',
https_proxy: 'http://localhost:0',
HTTP_PROXY: 'http://localhost:0',
HTTPS_PROXY: 'http://localhost:0',
no_proxy: '',
NO_PROXY: ''
Clients that do not explicitly honor those proxy variables continue to use the host network stack. A local-only PoV shows that, inside mode: "network-isolated", a proxy-aware Node invocation is stopped, while a plain Node HTTP client reaches a loopback HTTP server from the same sandboxed command environment.
This is a network-isolation protection failure in an exported npm API and CLI mode. It is not a generic claim that every PraisonAI sandbox backend is affected.
Technical Details
src/praisonai-ts/src/cli/features/sandbox-executor.ts declares the mode:
export type SandboxMode = 'disabled' | 'basic' | 'strict' | 'network-isolated';
SandboxExecutor.spawn() starts the command through the host shell and passes only the environment returned by buildEnv():
const proc = spawn('sh', ['-c', command], {
cwd: this.config.cwd,
env,
timeout: this.config.timeout,
stdio: ['pipe', 'pipe', 'pipe']
});
For network-isolated, buildEnv() does not apply an OS-level network restriction. It only sets proxy variables:
case 'network-isolated':
// No network access (requires additional OS-level setup)
return {
...baseEnv,
http_proxy: 'http://localhost:0',
https_proxy: 'http://localhost:0',
HTTP_PROXY: 'http://localhost:0',
HTTPS_PROXY: 'http://localhost:0',
no_proxy: '',
NO_PROXY: ''
};
The CLI mode listing presents this as no network access:
'network-isolated': 'No network access (proxy blocked)'
That creates a false boundary. Proxy variables affect only clients that choose to read and honor them. Other clients can still open sockets directly from the child process.
Why This Is Not Intended Behavior
The vulnerable behavior is not "commands can run." The issue is that a mode named network-isolated and displayed to users as "No network access" still allows direct socket access.
The source comment says network-isolated requires additional OS-level setup, which is consistent with the finding: proxy variables alone are not a network isolation mechanism. The exported npm API and CLI mode do not provide such setup or warn callers that this mode is only a best-effort proxy hint.
If the intended behavior is merely "set proxy variables for cooperative clients," the mode name and CLI description should be changed so users do not rely on it as a security boundary.
PoV
Run from a local reproduction checkout:
node poc/pov_poc.js 1.7.1
The PoV:
- Installs
npm:praisonai@1.7.1into a temporary project. - Starts a harmless HTTP server bound to
127.0.0.1on a random local port. - Creates
new SandboxExecutor({ mode: "network-isolated" }). - Confirms the child environment contains the proxy variables.
- Runs
node --use-env-proxy client.jsas a proxy-aware control. It fails and does not reach the server. - Runs
node client.jswithout proxy opt-in. It reaches the server and prints the marker.
Observed output summary from evidence/pov-npm-1.7.1.json:
{
"version": "1.7.1",
"mode": "network-isolated",
"control": {
"localServerBoundToLoopback": true,
"proxyVariablesSet": true,
"proxyAwareClientStopped": true,
"requestReachedLoopbackServer": true
},
"observed": {
"proxyAwareRun": {
"success": false,
"stdout": "",
"exitCode": 2
},
"netRun": {
"success": true,
"stdout": "BODY=poc\n",
"exitCode": 0
},
"loopbackHitCount": 1
},
"vulnerable": true
}
The PoV is local-only. It does not contact any external host after npm package installation, and it does not use cloud metadata or destructive commands.
PoC
The PoV section above contains the local reproduction command, input, and decisive output.
Impact
Applications often use sandbox network controls to prevent prompt-injected, user-supplied, or model-generated commands from exfiltrating secrets or reaching internal services. A caller who relies on network-isolated mode for that boundary can still get network egress by using any client that ignores proxy environment variables or by using direct socket APIs.
Depending on the hosting environment, this can allow:
- exfiltration from commands that can read local files, process output, or inherited environment variables;
- access to localhost or internal network services reachable from the PraisonAI host;
- requests to cloud metadata or service endpoints if the host network permits them; and
- bypass of application policy that allows command execution only under a no-network assumption.
This report does not claim that npm PraisonAI exposes this as an unauthenticated network service by default. It is a library-level isolation bypass in an exported TypeScript API and CLI mode.
Severity
Suggested severity: High.
Rationale:
AV: common use is a network-facing application or agent service that accepts user or prompt-controlled work and executes it through the sandbox.AC: a single command using a non-proxy-aware network client is sufficient.PR: conservative scoring assumes the attacker can submit prompts or work items to the application using PraisonAI.UN: no additional operator interaction is required once the command is executed.S: impact is scored against the PraisonAI-hosting process and its network privileges.C: network egress can allow data exfiltration from the sandboxed command context.I/A: reachable internal services can receive attacker-controlled requests, with impact depending on deployment.
If maintainers score only local CLI use, AV:L may be appropriate. If a deployment exposes this through unauthenticated agent endpoints, PR:N may be appropriate.
Suggested Fix
Do not represent proxy environment variables as network isolation.
Recommended:
- For a true
network-isolatedmode, run commands inside an execution boundary with OS-enforced network denial, such as a network namespace, firewall rule, sandbox profile, container, VM, or platform-specific socket filter. - Add regression tests that start a loopback server and verify that direct socket clients, Node
http.get, Python sockets,curl, and other common clients cannot connect undernetwork-isolated. - If only proxy hints are intended, rename the mode to something like
proxy-blocked, document that it is not a security boundary, and keep "network-isolated" unavailable until OS-level enforcement exists. - Consider default-deny egress with explicit allowlists for destinations that must remain reachable from sandboxed commands.
Affected Package/Versions
- Repository:
MervinPraison/PraisonAI - Ecosystem:
npm - Package:
praisonai - Component: TypeScript CLI feature
SandboxExecutor - Latest npm package validated:
1.7.1 - Current
origin/mainvalidated:1ad58ca02975ff1398efeda694ea2ab78f20cf3e src/praisonai-ts/package.jsonatorigin/main:praisonai1.7.1
Suggested affected range:
npm:praisonai >= 1.2.3, <= 1.7.1
Selected version sweep:
1.0.0: package main cannot be required in the selected test environment.1.0.19,1.1.0,1.2.0,1.2.1,1.2.2:SandboxExecutoris not exported.1.2.3: vulnerable.1.2.4: vulnerable.1.3.0: vulnerable.1.3.6: vulnerable.1.4.0: vulnerable.1.5.0: vulnerable.1.5.4: vulnerable.1.6.0: vulnerable.1.7.0: vulnerable.1.7.1: vulnerable.
Advisory History
Visible PraisonAI advisories and prior submissions were checked. The closest related findings are distinct:
GHSA-r4f2-3m54-pp7qcovers PyPISubprocessSandboxshell=Trueand blocklist bypass.GHSA-6jcq-6546-qrrwcovers Python Sandlock fallback to unrestricted subprocess execution when native Landlock is unavailable.GHSA-vmmj-pfw7-fjwpcovers npmcodeModehost-processnew Functionsandbox escape.GHSA-vjv9-7m7j-h833covers npmSandboxExecutorallowedCommandsbypass through shell chaining.
This report is narrower and distinct: npm TypeScript SandboxExecutor network-isolated mode advertises no network access but enforces only proxy environment variables, so non-proxy-aware clients keep network access without needing shell chaining or a disallowed executable.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.7.1"
},
"package": {
"ecosystem": "npm",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.3"
},
{
"fixed": "1.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-653",
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:26:28Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nThe published npm package `praisonai` exports a TypeScript `SandboxExecutor` with a `network-isolated` mode. The CLI lists that mode as:\n\n```text\nnetwork-isolated No network access (proxy blocked)\n```\n\nThe implementation does not create a network namespace, firewall rule, socket filter, or proxy-enforced execution boundary. It only injects proxy environment variables into the child process:\n\n```ts\nhttp_proxy: \u0027http://localhost:0\u0027,\nhttps_proxy: \u0027http://localhost:0\u0027,\nHTTP_PROXY: \u0027http://localhost:0\u0027,\nHTTPS_PROXY: \u0027http://localhost:0\u0027,\nno_proxy: \u0027\u0027,\nNO_PROXY: \u0027\u0027\n```\n\nClients that do not explicitly honor those proxy variables continue to use the host network stack. A local-only PoV shows that, inside `mode: \"network-isolated\"`, a proxy-aware Node invocation is stopped, while a plain Node HTTP client reaches a loopback HTTP server from the same sandboxed command environment.\n\nThis is a network-isolation protection failure in an exported npm API and CLI mode. It is not a generic claim that every PraisonAI sandbox backend is affected.\n\n## Technical Details\n\n`src/praisonai-ts/src/cli/features/sandbox-executor.ts` declares the mode:\n\n```ts\nexport type SandboxMode = \u0027disabled\u0027 | \u0027basic\u0027 | \u0027strict\u0027 | \u0027network-isolated\u0027;\n```\n\n`SandboxExecutor.spawn()` starts the command through the host shell and passes only the environment returned by `buildEnv()`:\n\n```ts\nconst proc = spawn(\u0027sh\u0027, [\u0027-c\u0027, command], {\n cwd: this.config.cwd,\n env,\n timeout: this.config.timeout,\n stdio: [\u0027pipe\u0027, \u0027pipe\u0027, \u0027pipe\u0027]\n});\n```\n\nFor `network-isolated`, `buildEnv()` does not apply an OS-level network restriction. It only sets proxy variables:\n\n```ts\ncase \u0027network-isolated\u0027:\n // No network access (requires additional OS-level setup)\n return {\n ...baseEnv,\n http_proxy: \u0027http://localhost:0\u0027,\n https_proxy: \u0027http://localhost:0\u0027,\n HTTP_PROXY: \u0027http://localhost:0\u0027,\n HTTPS_PROXY: \u0027http://localhost:0\u0027,\n no_proxy: \u0027\u0027,\n NO_PROXY: \u0027\u0027\n };\n```\n\nThe CLI mode listing presents this as no network access:\n\n```ts\n\u0027network-isolated\u0027: \u0027No network access (proxy blocked)\u0027\n```\n\nThat creates a false boundary. Proxy variables affect only clients that choose to read and honor them. Other clients can still open sockets directly from the child process.\n\n### Why This Is Not Intended Behavior\n\nThe vulnerable behavior is not \"commands can run.\" The issue is that a mode named `network-isolated` and displayed to users as \"No network access\" still allows direct socket access.\n\nThe source comment says `network-isolated` requires additional OS-level setup, which is consistent with the finding: proxy variables alone are not a network isolation mechanism. The exported npm API and CLI mode do not provide such setup or warn callers that this mode is only a best-effort proxy hint.\n\nIf the intended behavior is merely \"set proxy variables for cooperative clients,\" the mode name and CLI description should be changed so users do not rely on it as a security boundary.\n\n## PoV\n\nRun from a local reproduction checkout:\n\n```bash\nnode poc/pov_poc.js 1.7.1\n```\n\nThe PoV:\n\n1. Installs `npm:praisonai@1.7.1` into a temporary project.\n2. Starts a harmless HTTP server bound to `127.0.0.1` on a random local port.\n3. Creates `new SandboxExecutor({ mode: \"network-isolated\" })`.\n4. Confirms the child environment contains the proxy variables.\n5. Runs `node --use-env-proxy client.js` as a proxy-aware control. It fails and does not reach the server.\n6. Runs `node client.js` without proxy opt-in. It reaches the server and prints the marker.\n\nObserved output summary from `evidence/pov-npm-1.7.1.json`:\n\n```json\n{\n \"version\": \"1.7.1\",\n \"mode\": \"network-isolated\",\n \"control\": {\n \"localServerBoundToLoopback\": true,\n \"proxyVariablesSet\": true,\n \"proxyAwareClientStopped\": true,\n \"requestReachedLoopbackServer\": true\n },\n \"observed\": {\n \"proxyAwareRun\": {\n \"success\": false,\n \"stdout\": \"\",\n \"exitCode\": 2\n },\n \"netRun\": {\n \"success\": true,\n \"stdout\": \"BODY=poc\\n\",\n \"exitCode\": 0\n },\n \"loopbackHitCount\": 1\n },\n \"vulnerable\": true\n}\n```\n\nThe PoV is local-only. It does not contact any external host after npm package installation, and it does not use cloud metadata or destructive commands.\n\n## PoC\n\nThe PoV section above contains the local reproduction command, input, and decisive output.\n\n## Impact\n\nApplications often use sandbox network controls to prevent prompt-injected, user-supplied, or model-generated commands from exfiltrating secrets or reaching internal services. A caller who relies on `network-isolated` mode for that boundary can still get network egress by using any client that ignores proxy environment variables or by using direct socket APIs.\n\nDepending on the hosting environment, this can allow:\n\n- exfiltration from commands that can read local files, process output, or inherited environment variables;\n- access to localhost or internal network services reachable from the PraisonAI host;\n- requests to cloud metadata or service endpoints if the host network permits them; and\n- bypass of application policy that allows command execution only under a no-network assumption.\n\nThis report does not claim that npm PraisonAI exposes this as an unauthenticated network service by default. It is a library-level isolation bypass in an exported TypeScript API and CLI mode.\n\n### Severity\n\nSuggested severity: High.\n\nRationale:\n\n- `AV`: common use is a network-facing application or agent service that accepts user or prompt-controlled work and executes it through the sandbox.\n- `AC`: a single command using a non-proxy-aware network client is sufficient.\n- `PR`: conservative scoring assumes the attacker can submit prompts or work items to the application using PraisonAI.\n- `UN`: no additional operator interaction is required once the command is executed.\n- `S`: impact is scored against the PraisonAI-hosting process and its network privileges.\n- `C`: network egress can allow data exfiltration from the sandboxed command context.\n- `I/A`: reachable internal services can receive attacker-controlled requests, with impact depending on deployment.\n\nIf maintainers score only local CLI use, `AV:L` may be appropriate. If a deployment exposes this through unauthenticated agent endpoints, `PR:N` may be appropriate.\n\n## Suggested Fix\n\nDo not represent proxy environment variables as network isolation.\n\nRecommended:\n\n1. For a true `network-isolated` mode, run commands inside an execution boundary with OS-enforced network denial, such as a network namespace, firewall rule, sandbox profile, container, VM, or platform-specific socket filter.\n2. Add regression tests that start a loopback server and verify that direct socket clients, Node `http.get`, Python sockets, `curl`, and other common clients cannot connect under `network-isolated`.\n3. If only proxy hints are intended, rename the mode to something like `proxy-blocked`, document that it is not a security boundary, and keep \"network-isolated\" unavailable until OS-level enforcement exists.\n4. Consider default-deny egress with explicit allowlists for destinations that must remain reachable from sandboxed commands.\n\n## Affected Package/Versions\n\n- Repository: `MervinPraison/PraisonAI`\n- Ecosystem: `npm`\n- Package: `praisonai`\n- Component: TypeScript CLI feature `SandboxExecutor`\n- Latest npm package validated: `1.7.1`\n- Current `origin/main` validated: `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n- `src/praisonai-ts/package.json` at `origin/main`: `praisonai` `1.7.1`\n\nSuggested affected range:\n\n```text\nnpm:praisonai \u003e= 1.2.3, \u003c= 1.7.1\n```\n\nSelected version sweep:\n\n- `1.0.0`: package main cannot be required in the selected test environment.\n- `1.0.19`, `1.1.0`, `1.2.0`, `1.2.1`, `1.2.2`: `SandboxExecutor` is not exported.\n- `1.2.3`: vulnerable.\n- `1.2.4`: vulnerable.\n- `1.3.0`: vulnerable.\n- `1.3.6`: vulnerable.\n- `1.4.0`: vulnerable.\n- `1.5.0`: vulnerable.\n- `1.5.4`: vulnerable.\n- `1.6.0`: vulnerable.\n- `1.7.0`: vulnerable.\n- `1.7.1`: vulnerable.\n\n## Advisory History\n\nVisible PraisonAI advisories and prior submissions were checked. The closest related findings are distinct:\n\n- `GHSA-r4f2-3m54-pp7q` covers PyPI `SubprocessSandbox` `shell=True` and blocklist bypass.\n- `GHSA-6jcq-6546-qrrw` covers Python Sandlock fallback to unrestricted subprocess execution when native Landlock is unavailable.\n- `GHSA-vmmj-pfw7-fjwp` covers npm `codeMode` host-process `new Function` sandbox escape.\n- `GHSA-vjv9-7m7j-h833` covers npm `SandboxExecutor` `allowedCommands` bypass through shell chaining.\n\nThis report is narrower and distinct: npm TypeScript `SandboxExecutor` `network-isolated` mode advertises no network access but enforces only proxy environment variables, so non-proxy-aware clients keep network access without needing shell chaining or a disallowed executable.",
"id": "GHSA-gqmf-56h7-rrpf",
"modified": "2026-06-18T14:26:28Z",
"published": "2026-06-18T14:26:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gqmf-56h7-rrpf"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "npm PraisonAI SandboxExecutor network-isolated mode does not block non-proxy-aware network clients"
}
GHSA-HJ5F-Q3P2-C2H3
Vulnerability from github – Published: 2025-04-04 09:30 – Updated: 2026-02-23 12:31Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service
{
"affected": [],
"aliases": [
"CVE-2025-3086"
],
"database_specific": {
"cwe_ids": [
"CWE-653"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-04T07:15:42Z",
"severity": "MODERATE"
},
"details": "Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service",
"id": "GHSA-hj5f-q3p2-c2h3",
"modified": "2026-02-23T12:31:29Z",
"published": "2025-04-04T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3086"
},
{
"type": "WEB",
"url": "https://empower.m-files.com/security-advisories/CVE-2025-3086"
},
{
"type": "WEB",
"url": "https://product.m-files.com/security-advisories/cve-2025-3086"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HJ93-H7PG-FH6V
Vulnerability from github – Published: 2026-04-02 15:31 – Updated: 2026-04-04 05:56A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.5.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-4282"
],
"database_specific": {
"cwe_ids": [
"CWE-653"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-04T05:56:42Z",
"nvd_published_at": "2026-04-02T13:16:26Z",
"severity": "HIGH"
},
"details": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.",
"id": "GHSA-hj93-h7pg-fh6v",
"modified": "2026-04-04T05:56:42Z",
"published": "2026-04-02T15:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4282"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/47719"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/9046f201125a6fd6be9c116b99d348509d99d4a5"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6475"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6476"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6477"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6478"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-4282"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448061"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw"
}
GHSA-JVW5-V42Q-RPWC
Vulnerability from github – Published: 2026-05-19 15:31 – Updated: 2026-06-30 03:36Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.
{
"affected": [],
"aliases": [
"CVE-2026-8945"
],
"database_specific": {
"cwe_ids": [
"CWE-653",
"CWE-693"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-19T14:16:50Z",
"severity": "HIGH"
},
"details": "Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.",
"id": "GHSA-jvw5-v42q-rpwc",
"modified": "2026-06-30T03:36:43Z",
"published": "2026-05-19T15:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8945"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-8945"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2003171"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479863"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8945.json"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-46"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JWV5-XMF5-MP56
Vulnerability from github – Published: 2025-03-12 15:32 – Updated: 2025-10-22 00:33An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device.
A local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device. This issue is not exploitable from the Junos CLI. This issue affects Junos OS:
- All versions before 21.2R3-S9,
- 21.4 versions before 21.4R3-S10,
- 22.2 versions before 22.2R3-S6,
- 22.4 versions before 22.4R3-S6,
- 23.2 versions before 23.2R2-S3,
- 23.4 versions before 23.4R2-S4,
- 24.2 versions before 24.2R1-S2, 24.2R2.
{
"affected": [],
"aliases": [
"CVE-2025-21590"
],
"database_specific": {
"cwe_ids": [
"CWE-653"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-12T14:15:15Z",
"severity": "MODERATE"
},
"details": "An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device.\n\nA local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device.\nThis issue is not exploitable from the Junos CLI.\nThis issue affects Junos OS:\u00a0\n\n\n\n * All versions before 21.2R3-S9,\n * 21.4 versions before 21.4R3-S10,\u00a0\n * 22.2 versions before 22.2R3-S6,\u00a0\n * 22.4 versions before 22.4R3-S6,\u00a0\n * 23.2 versions before 23.2R2-S3,\u00a0\n * 23.4 versions before 23.4R2-S4,\n * 24.2 versions before 24.2R1-S2, 24.2R2.",
"id": "GHSA-jwv5-xmf5-mp56",
"modified": "2025-10-22T00:33:16Z",
"published": "2025-03-12T15:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21590"
},
{
"type": "WEB",
"url": "https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA93446"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21590"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MFRX-9G8M-Q563
Vulnerability from github – Published: 2023-04-12 15:30 – Updated: 2024-04-04 03:25yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the component yasm_expr_create at /libyasm/expr.c.
{
"affected": [],
"aliases": [
"CVE-2023-29580"
],
"database_specific": {
"cwe_ids": [
"CWE-653"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-12T13:15:00Z",
"severity": "MODERATE"
},
"details": "yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the component yasm_expr_create at /libyasm/expr.c.",
"id": "GHSA-mfrx-9g8m-q563",
"modified": "2024-04-04T03:25:16Z",
"published": "2023-04-12T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29580"
},
{
"type": "WEB",
"url": "https://github.com/yasm/yasm/issues/215"
},
{
"type": "WEB",
"url": "https://github.com/z1r00/fuzz_vuln/blob/main/yasm/segv/yasm_expr_create/readmd.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Break up privileges between different modules, objects, or entities. Minimize the interfaces between modules and require strong access control between them.
No CAPEC attack patterns related to this CWE.