Common Weakness Enumeration

CWE-653

Allowed

Improper Isolation or Compartmentalization

Abstraction: Class · Status: Draft

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

101 vulnerabilities reference this CWE, most recent first.

GHSA-G2F8-6MGF-93J8

Vulnerability from github – Published: 2025-01-23 03:30 – Updated: 2025-01-23 15:31
VLAI
Details

lunasvg v3.0.0 was discovered to contain a segmentation violation via the component plutovg_blend.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-653"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-23T01:15:26Z",
    "severity": "MODERATE"
  },
  "details": "lunasvg v3.0.0 was discovered to contain a segmentation violation via the component plutovg_blend.",
  "id": "GHSA-g2f8-6mgf-93j8",
  "modified": "2025-01-23T15:31:05Z",
  "published": "2025-01-23T03:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57720"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sammycage/lunasvg/issues/209"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keepinggg/poc/blob/main/poc_of_lunasvg_3.1.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GPRR-V9F2-PX3C

Vulnerability from github – Published: 2025-03-11 18:32 – Updated: 2025-03-11 20:19
VLAI
Summary
Azure PromptFlow remote code execution related to Jinja templates
Details

Improper isolation or compartmentalization in Azure PromptFlow allows an unauthorized attacker to execute code over a network.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "promptflow-tools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "promptflow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.17.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24986"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-653"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-11T20:19:55Z",
    "nvd_published_at": "2025-03-11T17:16:34Z",
    "severity": "MODERATE"
  },
  "details": "Improper isolation or compartmentalization in Azure PromptFlow allows an unauthorized attacker to execute code over a network.",
  "id": "GHSA-gprr-v9f2-px3c",
  "modified": "2025-03-11T20:19:56Z",
  "published": "2025-03-11T18:32:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24986"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/promptflow/commit/5f4a41ab4cb15607ade7f26138b0b863b4e4eb0a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/promptflow/commit/625061724c51533d28fe6e0e3014b1042afdb07f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/microsoft/promptflow"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24986"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Azure PromptFlow remote code execution related to Jinja templates"
}

GHSA-GQ6J-MR3Q-JV97

Vulnerability from github – Published: 2025-11-18 18:32 – Updated: 2025-11-18 18:32
VLAI
Details

An Improper Isolation or Compartmentalization vulnerability [CWE-653] in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to evade the sandboxing scan via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-653"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-18T17:16:01Z",
    "severity": "MODERATE"
  },
  "details": "An Improper Isolation or Compartmentalization vulnerability [CWE-653] in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to evade the sandboxing scan via a crafted file.",
  "id": "GHSA-gq6j-mr3q-jv97",
  "modified": "2025-11-18T18:32:53Z",
  "published": "2025-11-18T18:32:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46215"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-501"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GQ7G-VG2Q-JVQ3

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-06-30 17:18
VLAI
Summary
Apache Syncope has an Improper Isolation or Compartmentalization vulnerability
Details

Improper Isolation or Compartmentalization vulnerability in Apache Syncope.

An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer.

This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.

Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.syncope.core:syncope-core-spring"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-M0"
            },
            {
              "last_affected": "3.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.syncope.core:syncope-core-spring"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-M0"
            },
            {
              "fixed": "4.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.syncope.core:syncope-core-spring"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0-M0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-653"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-30T17:18:21Z",
    "nvd_published_at": "2026-05-25T16:16:19Z",
    "severity": "HIGH"
  },
  "details": "Improper Isolation or Compartmentalization vulnerability in Apache Syncope.\n\nAn administrator with adequate entitlements for Implementations can create a malicious Groovy class containing\u00a0untrusted code reaching a non-sandboxed execution path via the class static initializer.\n\nThis issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.\n\nUsers are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.",
  "id": "GHSA-gq7g-vg2q-jvq3",
  "modified": "2026-06-30T17:18:21Z",
  "published": "2026-05-26T13:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42782"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/b869ms0ofrd129f7tgsn9flxgv9ztg2r"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/25/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Syncope has an Improper Isolation or Compartmentalization vulnerability"
}

GHSA-GQMF-56H7-RRPF

Vulnerability from github – Published: 2026-06-18 14:26 – Updated: 2026-06-18 14:26
VLAI
Summary
npm PraisonAI SandboxExecutor network-isolated mode does not block non-proxy-aware network clients
Details

Summary

The published npm package praisonai exports a TypeScript SandboxExecutor with a network-isolated mode. The CLI lists that mode as:

network-isolated  No network access (proxy blocked)

The implementation does not create a network namespace, firewall rule, socket filter, or proxy-enforced execution boundary. It only injects proxy environment variables into the child process:

http_proxy: 'http://localhost:0',
https_proxy: 'http://localhost:0',
HTTP_PROXY: 'http://localhost:0',
HTTPS_PROXY: 'http://localhost:0',
no_proxy: '',
NO_PROXY: ''

Clients that do not explicitly honor those proxy variables continue to use the host network stack. A local-only PoV shows that, inside mode: "network-isolated", a proxy-aware Node invocation is stopped, while a plain Node HTTP client reaches a loopback HTTP server from the same sandboxed command environment.

This is a network-isolation protection failure in an exported npm API and CLI mode. It is not a generic claim that every PraisonAI sandbox backend is affected.

Technical Details

src/praisonai-ts/src/cli/features/sandbox-executor.ts declares the mode:

export type SandboxMode = 'disabled' | 'basic' | 'strict' | 'network-isolated';

SandboxExecutor.spawn() starts the command through the host shell and passes only the environment returned by buildEnv():

const proc = spawn('sh', ['-c', command], {
  cwd: this.config.cwd,
  env,
  timeout: this.config.timeout,
  stdio: ['pipe', 'pipe', 'pipe']
});

For network-isolated, buildEnv() does not apply an OS-level network restriction. It only sets proxy variables:

case 'network-isolated':
  // No network access (requires additional OS-level setup)
  return {
    ...baseEnv,
    http_proxy: 'http://localhost:0',
    https_proxy: 'http://localhost:0',
    HTTP_PROXY: 'http://localhost:0',
    HTTPS_PROXY: 'http://localhost:0',
    no_proxy: '',
    NO_PROXY: ''
  };

The CLI mode listing presents this as no network access:

'network-isolated': 'No network access (proxy blocked)'

That creates a false boundary. Proxy variables affect only clients that choose to read and honor them. Other clients can still open sockets directly from the child process.

Why This Is Not Intended Behavior

The vulnerable behavior is not "commands can run." The issue is that a mode named network-isolated and displayed to users as "No network access" still allows direct socket access.

The source comment says network-isolated requires additional OS-level setup, which is consistent with the finding: proxy variables alone are not a network isolation mechanism. The exported npm API and CLI mode do not provide such setup or warn callers that this mode is only a best-effort proxy hint.

If the intended behavior is merely "set proxy variables for cooperative clients," the mode name and CLI description should be changed so users do not rely on it as a security boundary.

PoV

Run from a local reproduction checkout:

node poc/pov_poc.js 1.7.1

The PoV:

  1. Installs npm:praisonai@1.7.1 into a temporary project.
  2. Starts a harmless HTTP server bound to 127.0.0.1 on a random local port.
  3. Creates new SandboxExecutor({ mode: "network-isolated" }).
  4. Confirms the child environment contains the proxy variables.
  5. Runs node --use-env-proxy client.js as a proxy-aware control. It fails and does not reach the server.
  6. Runs node client.js without proxy opt-in. It reaches the server and prints the marker.

Observed output summary from evidence/pov-npm-1.7.1.json:

{
  "version": "1.7.1",
  "mode": "network-isolated",
  "control": {
    "localServerBoundToLoopback": true,
    "proxyVariablesSet": true,
    "proxyAwareClientStopped": true,
    "requestReachedLoopbackServer": true
  },
  "observed": {
    "proxyAwareRun": {
      "success": false,
      "stdout": "",
      "exitCode": 2
    },
    "netRun": {
      "success": true,
      "stdout": "BODY=poc\n",
      "exitCode": 0
    },
    "loopbackHitCount": 1
  },
  "vulnerable": true
}

The PoV is local-only. It does not contact any external host after npm package installation, and it does not use cloud metadata or destructive commands.

PoC

The PoV section above contains the local reproduction command, input, and decisive output.

Impact

Applications often use sandbox network controls to prevent prompt-injected, user-supplied, or model-generated commands from exfiltrating secrets or reaching internal services. A caller who relies on network-isolated mode for that boundary can still get network egress by using any client that ignores proxy environment variables or by using direct socket APIs.

Depending on the hosting environment, this can allow:

  • exfiltration from commands that can read local files, process output, or inherited environment variables;
  • access to localhost or internal network services reachable from the PraisonAI host;
  • requests to cloud metadata or service endpoints if the host network permits them; and
  • bypass of application policy that allows command execution only under a no-network assumption.

This report does not claim that npm PraisonAI exposes this as an unauthenticated network service by default. It is a library-level isolation bypass in an exported TypeScript API and CLI mode.

Severity

Suggested severity: High.

Rationale:

  • AV: common use is a network-facing application or agent service that accepts user or prompt-controlled work and executes it through the sandbox.
  • AC: a single command using a non-proxy-aware network client is sufficient.
  • PR: conservative scoring assumes the attacker can submit prompts or work items to the application using PraisonAI.
  • UN: no additional operator interaction is required once the command is executed.
  • S: impact is scored against the PraisonAI-hosting process and its network privileges.
  • C: network egress can allow data exfiltration from the sandboxed command context.
  • I/A: reachable internal services can receive attacker-controlled requests, with impact depending on deployment.

If maintainers score only local CLI use, AV:L may be appropriate. If a deployment exposes this through unauthenticated agent endpoints, PR:N may be appropriate.

Suggested Fix

Do not represent proxy environment variables as network isolation.

Recommended:

  1. For a true network-isolated mode, run commands inside an execution boundary with OS-enforced network denial, such as a network namespace, firewall rule, sandbox profile, container, VM, or platform-specific socket filter.
  2. Add regression tests that start a loopback server and verify that direct socket clients, Node http.get, Python sockets, curl, and other common clients cannot connect under network-isolated.
  3. If only proxy hints are intended, rename the mode to something like proxy-blocked, document that it is not a security boundary, and keep "network-isolated" unavailable until OS-level enforcement exists.
  4. Consider default-deny egress with explicit allowlists for destinations that must remain reachable from sandboxed commands.

Affected Package/Versions

  • Repository: MervinPraison/PraisonAI
  • Ecosystem: npm
  • Package: praisonai
  • Component: TypeScript CLI feature SandboxExecutor
  • Latest npm package validated: 1.7.1
  • Current origin/main validated: 1ad58ca02975ff1398efeda694ea2ab78f20cf3e
  • src/praisonai-ts/package.json at origin/main: praisonai 1.7.1

Suggested affected range:

npm:praisonai >= 1.2.3, <= 1.7.1

Selected version sweep:

  • 1.0.0: package main cannot be required in the selected test environment.
  • 1.0.19, 1.1.0, 1.2.0, 1.2.1, 1.2.2: SandboxExecutor is not exported.
  • 1.2.3: vulnerable.
  • 1.2.4: vulnerable.
  • 1.3.0: vulnerable.
  • 1.3.6: vulnerable.
  • 1.4.0: vulnerable.
  • 1.5.0: vulnerable.
  • 1.5.4: vulnerable.
  • 1.6.0: vulnerable.
  • 1.7.0: vulnerable.
  • 1.7.1: vulnerable.

Advisory History

Visible PraisonAI advisories and prior submissions were checked. The closest related findings are distinct:

  • GHSA-r4f2-3m54-pp7q covers PyPI SubprocessSandbox shell=True and blocklist bypass.
  • GHSA-6jcq-6546-qrrw covers Python Sandlock fallback to unrestricted subprocess execution when native Landlock is unavailable.
  • GHSA-vmmj-pfw7-fjwp covers npm codeMode host-process new Function sandbox escape.
  • GHSA-vjv9-7m7j-h833 covers npm SandboxExecutor allowedCommands bypass through shell chaining.

This report is narrower and distinct: npm TypeScript SandboxExecutor network-isolated mode advertises no network access but enforces only proxy environment variables, so non-proxy-aware clients keep network access without needing shell chaining or a disallowed executable.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.7.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.3"
            },
            {
              "fixed": "1.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-653",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T14:26:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe published npm package `praisonai` exports a TypeScript `SandboxExecutor` with a `network-isolated` mode. The CLI lists that mode as:\n\n```text\nnetwork-isolated  No network access (proxy blocked)\n```\n\nThe implementation does not create a network namespace, firewall rule, socket filter, or proxy-enforced execution boundary. It only injects proxy environment variables into the child process:\n\n```ts\nhttp_proxy: \u0027http://localhost:0\u0027,\nhttps_proxy: \u0027http://localhost:0\u0027,\nHTTP_PROXY: \u0027http://localhost:0\u0027,\nHTTPS_PROXY: \u0027http://localhost:0\u0027,\nno_proxy: \u0027\u0027,\nNO_PROXY: \u0027\u0027\n```\n\nClients that do not explicitly honor those proxy variables continue to use the host network stack. A local-only PoV shows that, inside `mode: \"network-isolated\"`, a proxy-aware Node invocation is stopped, while a plain Node HTTP client reaches a loopback HTTP server from the same sandboxed command environment.\n\nThis is a network-isolation protection failure in an exported npm API and CLI mode. It is not a generic claim that every PraisonAI sandbox backend is affected.\n\n## Technical Details\n\n`src/praisonai-ts/src/cli/features/sandbox-executor.ts` declares the mode:\n\n```ts\nexport type SandboxMode = \u0027disabled\u0027 | \u0027basic\u0027 | \u0027strict\u0027 | \u0027network-isolated\u0027;\n```\n\n`SandboxExecutor.spawn()` starts the command through the host shell and passes only the environment returned by `buildEnv()`:\n\n```ts\nconst proc = spawn(\u0027sh\u0027, [\u0027-c\u0027, command], {\n  cwd: this.config.cwd,\n  env,\n  timeout: this.config.timeout,\n  stdio: [\u0027pipe\u0027, \u0027pipe\u0027, \u0027pipe\u0027]\n});\n```\n\nFor `network-isolated`, `buildEnv()` does not apply an OS-level network restriction. It only sets proxy variables:\n\n```ts\ncase \u0027network-isolated\u0027:\n  // No network access (requires additional OS-level setup)\n  return {\n    ...baseEnv,\n    http_proxy: \u0027http://localhost:0\u0027,\n    https_proxy: \u0027http://localhost:0\u0027,\n    HTTP_PROXY: \u0027http://localhost:0\u0027,\n    HTTPS_PROXY: \u0027http://localhost:0\u0027,\n    no_proxy: \u0027\u0027,\n    NO_PROXY: \u0027\u0027\n  };\n```\n\nThe CLI mode listing presents this as no network access:\n\n```ts\n\u0027network-isolated\u0027: \u0027No network access (proxy blocked)\u0027\n```\n\nThat creates a false boundary. Proxy variables affect only clients that choose to read and honor them. Other clients can still open sockets directly from the child process.\n\n### Why This Is Not Intended Behavior\n\nThe vulnerable behavior is not \"commands can run.\" The issue is that a mode named `network-isolated` and displayed to users as \"No network access\" still allows direct socket access.\n\nThe source comment says `network-isolated` requires additional OS-level setup, which is consistent with the finding: proxy variables alone are not a network isolation mechanism. The exported npm API and CLI mode do not provide such setup or warn callers that this mode is only a best-effort proxy hint.\n\nIf the intended behavior is merely \"set proxy variables for cooperative clients,\" the mode name and CLI description should be changed so users do not rely on it as a security boundary.\n\n## PoV\n\nRun from a local reproduction checkout:\n\n```bash\nnode poc/pov_poc.js 1.7.1\n```\n\nThe PoV:\n\n1. Installs `npm:praisonai@1.7.1` into a temporary project.\n2. Starts a harmless HTTP server bound to `127.0.0.1` on a random local port.\n3. Creates `new SandboxExecutor({ mode: \"network-isolated\" })`.\n4. Confirms the child environment contains the proxy variables.\n5. Runs `node --use-env-proxy client.js` as a proxy-aware control. It fails and does not reach the server.\n6. Runs `node client.js` without proxy opt-in. It reaches the server and prints the marker.\n\nObserved output summary from `evidence/pov-npm-1.7.1.json`:\n\n```json\n{\n  \"version\": \"1.7.1\",\n  \"mode\": \"network-isolated\",\n  \"control\": {\n    \"localServerBoundToLoopback\": true,\n    \"proxyVariablesSet\": true,\n    \"proxyAwareClientStopped\": true,\n    \"requestReachedLoopbackServer\": true\n  },\n  \"observed\": {\n    \"proxyAwareRun\": {\n      \"success\": false,\n      \"stdout\": \"\",\n      \"exitCode\": 2\n    },\n    \"netRun\": {\n      \"success\": true,\n      \"stdout\": \"BODY=poc\\n\",\n      \"exitCode\": 0\n    },\n    \"loopbackHitCount\": 1\n  },\n  \"vulnerable\": true\n}\n```\n\nThe PoV is local-only. It does not contact any external host after npm package installation, and it does not use cloud metadata or destructive commands.\n\n## PoC\n\nThe PoV section above contains the local reproduction command, input, and decisive output.\n\n## Impact\n\nApplications often use sandbox network controls to prevent prompt-injected, user-supplied, or model-generated commands from exfiltrating secrets or reaching internal services. A caller who relies on `network-isolated` mode for that boundary can still get network egress by using any client that ignores proxy environment variables or by using direct socket APIs.\n\nDepending on the hosting environment, this can allow:\n\n- exfiltration from commands that can read local files, process output, or inherited environment variables;\n- access to localhost or internal network services reachable from the PraisonAI host;\n- requests to cloud metadata or service endpoints if the host network permits them; and\n- bypass of application policy that allows command execution only under a no-network assumption.\n\nThis report does not claim that npm PraisonAI exposes this as an unauthenticated network service by default. It is a library-level isolation bypass in an exported TypeScript API and CLI mode.\n\n### Severity\n\nSuggested severity: High.\n\nRationale:\n\n- `AV`: common use is a network-facing application or agent service that accepts user or prompt-controlled work and executes it through the sandbox.\n- `AC`: a single command using a non-proxy-aware network client is sufficient.\n- `PR`: conservative scoring assumes the attacker can submit prompts or work items to the application using PraisonAI.\n- `UN`: no additional operator interaction is required once the command is executed.\n- `S`: impact is scored against the PraisonAI-hosting process and its network privileges.\n- `C`: network egress can allow data exfiltration from the sandboxed command context.\n- `I/A`: reachable internal services can receive attacker-controlled requests, with impact depending on deployment.\n\nIf maintainers score only local CLI use, `AV:L` may be appropriate. If a deployment exposes this through unauthenticated agent endpoints, `PR:N` may be appropriate.\n\n## Suggested Fix\n\nDo not represent proxy environment variables as network isolation.\n\nRecommended:\n\n1. For a true `network-isolated` mode, run commands inside an execution boundary with OS-enforced network denial, such as a network namespace, firewall rule, sandbox profile, container, VM, or platform-specific socket filter.\n2. Add regression tests that start a loopback server and verify that direct socket clients, Node `http.get`, Python sockets, `curl`, and other common clients cannot connect under `network-isolated`.\n3. If only proxy hints are intended, rename the mode to something like `proxy-blocked`, document that it is not a security boundary, and keep \"network-isolated\" unavailable until OS-level enforcement exists.\n4. Consider default-deny egress with explicit allowlists for destinations that must remain reachable from sandboxed commands.\n\n## Affected Package/Versions\n\n- Repository: `MervinPraison/PraisonAI`\n- Ecosystem: `npm`\n- Package: `praisonai`\n- Component: TypeScript CLI feature `SandboxExecutor`\n- Latest npm package validated: `1.7.1`\n- Current `origin/main` validated: `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n- `src/praisonai-ts/package.json` at `origin/main`: `praisonai` `1.7.1`\n\nSuggested affected range:\n\n```text\nnpm:praisonai \u003e= 1.2.3, \u003c= 1.7.1\n```\n\nSelected version sweep:\n\n- `1.0.0`: package main cannot be required in the selected test environment.\n- `1.0.19`, `1.1.0`, `1.2.0`, `1.2.1`, `1.2.2`: `SandboxExecutor` is not exported.\n- `1.2.3`: vulnerable.\n- `1.2.4`: vulnerable.\n- `1.3.0`: vulnerable.\n- `1.3.6`: vulnerable.\n- `1.4.0`: vulnerable.\n- `1.5.0`: vulnerable.\n- `1.5.4`: vulnerable.\n- `1.6.0`: vulnerable.\n- `1.7.0`: vulnerable.\n- `1.7.1`: vulnerable.\n\n## Advisory History\n\nVisible PraisonAI advisories and prior submissions were checked. The closest related findings are distinct:\n\n- `GHSA-r4f2-3m54-pp7q` covers PyPI `SubprocessSandbox` `shell=True` and blocklist bypass.\n- `GHSA-6jcq-6546-qrrw` covers Python Sandlock fallback to unrestricted subprocess execution when native Landlock is unavailable.\n- `GHSA-vmmj-pfw7-fjwp` covers npm `codeMode` host-process `new Function` sandbox escape.\n- `GHSA-vjv9-7m7j-h833` covers npm `SandboxExecutor` `allowedCommands` bypass through shell chaining.\n\nThis report is narrower and distinct: npm TypeScript `SandboxExecutor` `network-isolated` mode advertises no network access but enforces only proxy environment variables, so non-proxy-aware clients keep network access without needing shell chaining or a disallowed executable.",
  "id": "GHSA-gqmf-56h7-rrpf",
  "modified": "2026-06-18T14:26:28Z",
  "published": "2026-06-18T14:26:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gqmf-56h7-rrpf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "npm PraisonAI SandboxExecutor network-isolated mode does not block non-proxy-aware network clients"
}

GHSA-HJ5F-Q3P2-C2H3

Vulnerability from github – Published: 2025-04-04 09:30 – Updated: 2026-02-23 12:31
VLAI
Details

Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3086"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-653"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-04T07:15:42Z",
    "severity": "MODERATE"
  },
  "details": "Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service",
  "id": "GHSA-hj5f-q3p2-c2h3",
  "modified": "2026-02-23T12:31:29Z",
  "published": "2025-04-04T09:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3086"
    },
    {
      "type": "WEB",
      "url": "https://empower.m-files.com/security-advisories/CVE-2025-3086"
    },
    {
      "type": "WEB",
      "url": "https://product.m-files.com/security-advisories/cve-2025-3086"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HJ93-H7PG-FH6V

Vulnerability from github – Published: 2026-04-02 15:31 – Updated: 2026-04-04 05:56
VLAI
Summary
Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw
Details

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-4282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-653"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T05:56:42Z",
    "nvd_published_at": "2026-04-02T13:16:26Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens, resulting in privilege escalation.",
  "id": "GHSA-hj93-h7pg-fh6v",
  "modified": "2026-04-04T05:56:42Z",
  "published": "2026-04-02T15:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4282"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/issues/47719"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/9046f201125a6fd6be9c116b99d348509d99d4a5"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6475"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6476"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6477"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6478"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4282"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448061"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw"
}

GHSA-JVW5-V42Q-RPWC

Vulnerability from github – Published: 2026-05-19 15:31 – Updated: 2026-06-30 03:36
VLAI
Details

Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-653",
      "CWE-693"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-19T14:16:50Z",
    "severity": "HIGH"
  },
  "details": "Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.",
  "id": "GHSA-jvw5-v42q-rpwc",
  "modified": "2026-06-30T03:36:43Z",
  "published": "2026-05-19T15:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8945"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-8945"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2003171"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479863"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8945.json"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-46"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JWV5-XMF5-MP56

Vulnerability from github – Published: 2025-03-12 15:32 – Updated: 2025-10-22 00:33
VLAI
Details

An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device.

A local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device. This issue is not exploitable from the Junos CLI. This issue affects Junos OS: 

  • All versions before 21.2R3-S9,
  • 21.4 versions before 21.4R3-S10, 
  • 22.2 versions before 22.2R3-S6, 
  • 22.4 versions before 22.4R3-S6, 
  • 23.2 versions before 23.2R2-S3, 
  • 23.4 versions before 23.4R2-S4,
  • 24.2 versions before 24.2R1-S2, 24.2R2.
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21590"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-653"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-12T14:15:15Z",
    "severity": "MODERATE"
  },
  "details": "An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device.\n\nA local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device.\nThis issue is not exploitable from the Junos CLI.\nThis issue affects Junos OS:\u00a0\n\n\n\n  *  All versions before 21.2R3-S9,\n  *  21.4 versions before 21.4R3-S10,\u00a0\n  *  22.2 versions before 22.2R3-S6,\u00a0\n  *  22.4 versions before 22.4R3-S6,\u00a0\n  *  23.2 versions before 23.2R2-S3,\u00a0\n  *  23.4 versions before 23.4R2-S4,\n  *  24.2 versions before 24.2R1-S2, 24.2R2.",
  "id": "GHSA-jwv5-xmf5-mp56",
  "modified": "2025-10-22T00:33:16Z",
  "published": "2025-03-12T15:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21590"
    },
    {
      "type": "WEB",
      "url": "https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA93446"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21590"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MFRX-9G8M-Q563

Vulnerability from github – Published: 2023-04-12 15:30 – Updated: 2024-04-04 03:25
VLAI
Details

yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the component yasm_expr_create at /libyasm/expr.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-653"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-12T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation via the component yasm_expr_create at /libyasm/expr.c.",
  "id": "GHSA-mfrx-9g8m-q563",
  "modified": "2024-04-04T03:25:16Z",
  "published": "2023-04-12T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yasm/yasm/issues/215"
    },
    {
      "type": "WEB",
      "url": "https://github.com/z1r00/fuzz_vuln/blob/main/yasm/segv/yasm_expr_create/readmd.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Break up privileges between different modules, objects, or entities. Minimize the interfaces between modules and require strong access control between them.

No CAPEC attack patterns related to this CWE.