{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonai-agents/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI Agents"],"_cs_severities":["high"],"_cs_tags":["ssrf","praisonai","ai-agent","cloud"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003eThe \u003ccode\u003epraisonaiagents\u003c/code\u003e library is susceptible to a Server-Side Request Forgery (SSRF) vulnerability within the \u003ccode\u003eweb_crawl\u003c/code\u003e tool. This flaw exists due to the httpx fallback path in \u003ccode\u003esrc/praisonai-agents/praisonaiagents/tools/web_crawl_tools.py:133-180\u003c/code\u003e failing to validate user-supplied URLs. This allows a malicious actor to potentially trick an LLM agent into crawling internal URLs and accessing sensitive resources like cloud metadata endpoints (e.g., \u003ccode\u003e169.254.169.254\u003c/code\u003e), internal services, or the localhost environment. The response content is then returned to the agent and may appear in output visible to the attacker. The vulnerability is exploitable when the \u003ccode\u003eTAVILY_API_KEY\u003c/code\u003e is not set and the \u003ccode\u003ecrawl4ai\u003c/code\u003e package is not installed, which is the default state after a fresh installation using \u003ccode\u003epip install praisonai\u003c/code\u003e. The affected package versions are \u0026gt;= 0.13.23 and \u0026lt; 1.5.128.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious prompt or injects it into a publicly accessible webpage.\u003c/li\u003e\n\u003cli\u003eThe agent processes the prompt containing instructions to visit a specific URL using the \u003ccode\u003eweb_crawl\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003eTAVILY_API_KEY\u003c/code\u003e is not set and \u003ccode\u003ecrawl4ai\u003c/code\u003e is not installed, the httpx fallback path in \u003ccode\u003eweb_crawl_tools.py\u003c/code\u003e is triggered.\u003c/li\u003e\n\u003cli\u003eThe httpx client makes a GET request to the attacker-controlled URL without proper validation, including internal IP addresses.\u003c/li\u003e\n\u003cli\u003eThe request is sent to an internal resource, such as the cloud metadata endpoint (\u003ccode\u003e169.254.169.254\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe internal service responds with sensitive information, such as IAM credentials or internal service details.\u003c/li\u003e\n\u003cli\u003eThe response is returned to the agent, which parses and includes the sensitive information in its output.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the agent's output, gaining access to the exfiltrated sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability can have severe consequences. On cloud infrastructure utilizing IMDSv1, attackers can obtain IAM credentials from the metadata service, potentially leading to complete compromise of the affected instance and broader access to cloud resources. In other deployments, attackers can access internal services reachable from the host, potentially revealing sensitive data or enabling further lateral movement within the network. There is no need to authenticate, the attacker just needs the agent to process input that triggers a \u003ccode\u003eweb_crawl\u003c/code\u003e call to an internal address.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the provided remediation patch to \u003ccode\u003esrc/praisonai-agents/praisonaiagents/tools/web_crawl_tools.py\u003c/code\u003e to implement URL validation before the httpx request (see Remediation section in content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect PraisonAI Agents Web Crawl Internal IP Access\u0026quot; to identify attempts to access internal IP addresses via the vulnerable \u003ccode\u003eweb_crawl\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003eIf feasible, configure either a \u003ccode\u003eTAVILY_API_KEY\u003c/code\u003e or install the \u003ccode\u003ecrawl4ai\u003c/code\u003e package to avoid triggering the vulnerable httpx fallback path.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from the \u003ccode\u003epraisonaiagents\u003c/code\u003e application for connections to internal IP ranges, as indicated by the IOCs, using network connection logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-praisonai-agents-ssrf/","summary":"The praisonaiagents library is vulnerable to Server-Side Request Forgery (SSRF) due to missing URL validation in the `web_crawl` tool's httpx fallback, potentially allowing attackers to access internal services or cloud metadata endpoints.","title":"PraisonAI Agents SSRF Vulnerability in Web Crawl Tool","url":"https://feed.craftedsignal.io/briefs/2024-01-praisonai-agents-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - PraisonAI Agents","version":"https://jsonfeed.org/version/1.1"}