PraisonAI Agents SSRF Vulnerability in Web Crawl Tool
The praisonaiagents library is vulnerable to Server-Side Request Forgery (SSRF) due to missing URL validation in the `web_crawl` tool's httpx fallback, potentially allowing attackers to access internal services or cloud metadata endpoints.
The praisonaiagents library is susceptible to a Server-Side Request Forgery (SSRF) vulnerability within the web_crawl tool. This flaw exists due to the httpx fallback path in src/praisonai-agents/praisonaiagents/tools/web_crawl_tools.py:133-180 failing to validate user-supplied URLs. This allows a malicious actor to potentially trick an LLM agent into crawling internal URLs and accessing sensitive resources like cloud metadata endpoints (e.g., 169.254.169.254), internal services, or the localhost environment. The response content is then returned to the agent and may appear in output visible to the attacker. The vulnerability is exploitable when the TAVILY_API_KEY is not set and the crawl4ai package is not installed, which is the default state after a fresh installation using pip install praisonai. The affected package versions are >= 0.13.23 and < 1.5.128.
Attack Chain
- Attacker crafts a malicious prompt or injects it into a publicly accessible webpage.
- The agent processes the prompt containing instructions to visit a specific URL using the
web_crawltool. - If
TAVILY_API_KEYis not set andcrawl4aiis not installed, the httpx fallback path inweb_crawl_tools.pyis triggered. - The httpx client makes a GET request to the attacker-controlled URL without proper validation, including internal IP addresses.
- The request is sent to an internal resource, such as the cloud metadata endpoint (
169.254.169.254). - The internal service responds with sensitive information, such as IAM credentials or internal service details.
- The response is returned to the agent, which parses and includes the sensitive information in its output.
- The attacker receives the agent's output, gaining access to the exfiltrated sensitive information.
Impact
Successful exploitation of this SSRF vulnerability can have severe consequences. On cloud infrastructure utilizing IMDSv1, attackers can obtain IAM credentials from the metadata service, potentially leading to complete compromise of the affected instance and broader access to cloud resources. In other deployments, attackers can access internal services reachable from the host, potentially revealing sensitive data or enabling further lateral movement within the network. There is no need to authenticate, the attacker just needs the agent to process input that triggers a web_crawl call to an internal address.
Recommendation
- Apply the provided remediation patch to
src/praisonai-agents/praisonaiagents/tools/web_crawl_tools.pyto implement URL validation before the httpx request (see Remediation section in content). - Deploy the Sigma rule "Detect PraisonAI Agents Web Crawl Internal IP Access" to identify attempts to access internal IP addresses via the vulnerable
web_crawltool. - If feasible, configure either a
TAVILY_API_KEYor install thecrawl4aipackage to avoid triggering the vulnerable httpx fallback path. - Monitor network connections originating from the
praisonaiagentsapplication for connections to internal IP ranges, as indicated by the IOCs, using network connection logs.
Detection coverage 2
Detect PraisonAI Agents Web Crawl Internal IP Access
highDetects attempts to access internal IP addresses (RFC1918, loopback, link-local) via praisonaiagents web crawl tool.
Detect PraisonAI Agents Web Crawl Cloud Metadata Access
highDetects attempts to access cloud metadata endpoints (AWS, Azure, GCP) via praisonaiagents web crawl tool.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
2
url
| Type | Value |
|---|---|
| url | http://169.254.169.254/latest/meta-data/ |
| url | http://169.254.169.254/latest/meta-data/iam/security-credentials/ |