GHSA-32VR-5GCF-3PW2 PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading
Summary The AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags such as !!js/function and !!js/undefined. This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can...