npm PraisonAI SandboxExecutor network-isolated mode does not block non-proxy-aware network clients
📋 Description
Summary
The published npm package praisonai exports a TypeScript SandboxExecutor with a network-isolated mode. The CLI lists that mode as:
network-isolated No network access (proxy blocked)
The implementation does not create a network namespace, firewall rule, socket filter, or proxy-enforced execution boundary. It only injects proxy environment variables into the child process:
http_proxy: 'http://localhost:0',
https_proxy: 'http://localhost:0',
HTTP_PROXY: 'http://localhost:0',
HTTPS_PROXY: 'http://localhost:0',
no_proxy: '',
NO_PROXY: ''
Clients that do not explicitly honor those proxy variables continue to use the host network stack. A local-only PoV shows that, inside mode: "network-isolated", a proxy-aware Node invocation is stopped, while a plain Node HTTP client reaches a loopback HTTP server from the same sandboxed command environment.
This is a network-isolation protection failure in an exported npm API and CLI mode. It is not a generic claim that every PraisonAI sandbox backend is affected.
Technical Details
src/praisonai-ts/src/cli/features/sandbox-executor.ts declares the mode:
export type SandboxMode = 'disabled' | 'basic' | 'strict' | 'network-isolated';
SandboxExecutor.spawn() starts the command through the host shell and passes only the environment returned by buildEnv():
const proc = spawn('sh', ['-c', command], {
cwd: this.config.cwd,
env,
timeout: this.config.timeout,
stdio: ['pipe', 'pipe', 'pipe']
});
For network-isolated, buildEnv() does not apply an OS-level network restriction. It only sets proxy variables:
case 'network-isolated':
// No network access (requires additional OS-level setup)
return {
...baseEnv,
http_proxy: 'http://localhost:0',
https_proxy: 'http://localhost:0',
HTTP_PROXY: 'http://localhost:0',
HTTPS_PROXY: 'http://localhost:0',
no_proxy: '',
NO_PROXY: ''
};
The CLI mode listing presents this as no network access:
'network-isolated': 'No network access (proxy blocked)'
That creates a false boundary. Proxy variables affect only clients that choose to read and honor them. Other clients can still open sockets directly from the child process.
Why This Is Not Intended Behavior
The vulnerable behavior is not "commands can run." The issue is that a mode named network-isolated and displayed to users as "No network access" still allows direct socket access.
The source comment says network-isolated requires additional OS-level setup, which is consistent with the finding: proxy variables alone are not a network isolation mechanism. The exported npm API and CLI mode do not provide such setup or warn callers that this mode is only a best-effort proxy hint.
If the intended behavior is merely "set proxy variables for cooperative clients," the mode name and CLI description should be changed so users do not rely on it as a security boundary.
PoV
Run from a local reproduction checkout:
node poc/pov_poc.js 1.7.1
The PoV:
- Installs
npm:[email protected]into a temporary project. - Starts a harmless HTTP server bound to
127.0.0.1on a random local port. - Creates
new SandboxExecutor({ mode: "network-isolated" }). - Confirms the child environment contains the proxy variables.
- Runs
node --use-env-proxy client.jsas a proxy-aware control. It fails and does not reach the server. - Runs
node client.jswithout proxy opt-in. It reaches the server and prints the marker.
Observed output summary from evidence/pov-npm-1.7.1.json:
{
"version": "1.7.1",
"mode": "network-isolated",
"control": {
"localServerBoundToLoopback": true,
"proxyVariablesSet": true,
"proxyAwareClientStopped": true,
"requestReachedLoopbackServer": true
},
"observed": {
"proxyAwareRun": {
"success": false,
"stdout": "",
"exitCode": 2
},
"netRun": {
"success": true,
"stdout": "BODY=poc\n",
"exitCode": 0
},
"loopbackHitCount": 1
},
"vulnerable": true
}
The PoV is local-only. It does not contact any external host after npm package installation, and it does not use cloud metadata or destructive commands.
PoC
The PoV section above contains the local reproduction command, input, and decisive output.
Impact
Applications often use sandbox network controls to prevent prompt-injected, user-supplied, or model-generated commands from exfiltrating secrets or reaching internal services. A caller who relies on network-isolated mode for that boundary can still get network egress by using any client that ignores proxy environment variables or by using direct socket APIs.
Depending on the hosting environment, this can allow:
- exfiltration from commands that can read local files, process output, or inherited environment variables;
- access to localhost or internal network services reachable from the PraisonAI host;
- requests to cloud metadata or service endpoints if the host network permits them; and
- bypass of application policy that allows command execution only under a no-network assumption.
This report does not claim that npm PraisonAI exposes this as an unauthenticated network service by default. It is a library-level isolation bypass in an exported TypeScript API and CLI mode.
Severity
Suggested severity: High.
Rationale:
AV: common use is a network-facing application or agent service that accepts user or prompt-controlled work and executes it through the sandbox.AC: a single command using a non-proxy-aware network client is sufficient.PR: conservative scoring assumes the attacker can submit prompts or work items to the application using PraisonAI.UN: no additional operator interaction is required once the command is executed.S: impact is scored against the PraisonAI-hosting process and its network privileges.C: network egress can allow data exfiltration from the sandboxed command context.I/A: reachable internal services can receive attacker-controlled requests, with impact depending on deployment.
If maintainers score only local CLI use, AV:L may be appropriate. If a deployment exposes this through unauthenticated agent endpoints, PR:N may be appropriate.
Suggested Fix
Do not represent proxy environment variables as network isolation.
Recommended:
- For a true
network-isolatedmode, run commands inside an execution boundary with OS-enforced network denial, such as a network namespace, firewall rule, sandbox profile, container, VM, or platform-specific socket filter. - Add regression tests that start a loopback server and verify that direct socket clients, Node
http.get, Python sockets,curl, and other common clients cannot connect undernetwork-isolated. - If only proxy hints are intended, rename the mode to something like
proxy-blocked, document that it is not a security boundary, and keep "network-isolated" unavailable until OS-level enforcement exists. - Consider default-deny egress with explicit allowlists for destinations that must remain reachable from sandboxed commands.
Affected Package/Versions
- Repository:
MervinPraison/PraisonAI - Ecosystem:
npm - Package:
praisonai - Component: TypeScript CLI feature
SandboxExecutor - Latest npm package validated:
1.7.1 - Current
origin/mainvalidated:1ad58ca02975ff1398efeda694ea2ab78f20cf3e src/praisonai-ts/package.jsonatorigin/main:praisonai1.7.1
Suggested affected range:
npm:praisonai >= 1.2.3, <= 1.7.1
Selected version sweep:
1.0.0: package main cannot be required in the selected test environment.1.0.19,1.1.0,1.2.0,1.2.1,1.2.2:SandboxExecutoris not exported.1.2.3: vulnerable.1.2.4: vulnerable.1.3.0: vulnerable.1.3.6: vulnerable.1.4.0: vulnerable.1.5.0: vulnerable.1.5.4: vulnerable.1.6.0: vulnerable.1.7.0: vulnerable.1.7.1: vulnerable.
Advisory History
Visible PraisonAI advisories and prior submissions were checked. The closest related findings are distinct:
GHSA-r4f2-3m54-pp7qcovers PyPISubprocessSandboxshell=Trueand blocklist bypass.GHSA-6jcq-6546-qrrwcovers Python Sandlock fallback to unrestricted subprocess execution when native Landlock is unavailable.GHSA-vmmj-pfw7-fjwpcovers npmcodeModehost-processnew Functionsandbox escape.GHSA-vjv9-7m7j-h833covers npmSandboxExecutorallowedCommandsbypass through shell chaining.
This report is narrower and distinct: npm TypeScript SandboxExecutor network-isolated mode advertises no network access but enforces only proxy environment variables, so non-proxy-aware clients keep network access without needing shell chaining or a disallowed executable.
🎯 Affected products1
- npm/praisonai:>= 1.2.3, <= 1.7.1