<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>PraisonAI Agents - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/praisonai-agents/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/praisonai-agents/feed.xml" rel="self" type="application/rss+xml"/><item><title>PraisonAI Agents SSRF Vulnerability in Web Crawl Tool</title><link>https://feed.craftedsignal.io/briefs/2024-01-praisonai-agents-ssrf/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-praisonai-agents-ssrf/</guid><description>The praisonaiagents library is vulnerable to Server-Side Request Forgery (SSRF) due to missing URL validation in the `web_crawl` tool's httpx fallback, potentially allowing attackers to access internal services or cloud metadata endpoints.</description><content:encoded><![CDATA[<p>The <code>praisonaiagents</code> library is susceptible to a Server-Side Request Forgery (SSRF) vulnerability within the <code>web_crawl</code> tool. This flaw exists due to the httpx fallback path in <code>src/praisonai-agents/praisonaiagents/tools/web_crawl_tools.py:133-180</code> failing to validate user-supplied URLs. This allows a malicious actor to potentially trick an LLM agent into crawling internal URLs and accessing sensitive resources like cloud metadata endpoints (e.g., <code>169.254.169.254</code>), internal services, or the localhost environment. The response content is then returned to the agent and may appear in output visible to the attacker. The vulnerability is exploitable when the <code>TAVILY_API_KEY</code> is not set and the <code>crawl4ai</code> package is not installed, which is the default state after a fresh installation using <code>pip install praisonai</code>. The affected package versions are &gt;= 0.13.23 and &lt; 1.5.128.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a malicious prompt or injects it into a publicly accessible webpage.</li>
<li>The agent processes the prompt containing instructions to visit a specific URL using the <code>web_crawl</code> tool.</li>
<li>If <code>TAVILY_API_KEY</code> is not set and <code>crawl4ai</code> is not installed, the httpx fallback path in <code>web_crawl_tools.py</code> is triggered.</li>
<li>The httpx client makes a GET request to the attacker-controlled URL without proper validation, including internal IP addresses.</li>
<li>The request is sent to an internal resource, such as the cloud metadata endpoint (<code>169.254.169.254</code>).</li>
<li>The internal service responds with sensitive information, such as IAM credentials or internal service details.</li>
<li>The response is returned to the agent, which parses and includes the sensitive information in its output.</li>
<li>The attacker receives the agent's output, gaining access to the exfiltrated sensitive information.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SSRF vulnerability can have severe consequences. On cloud infrastructure utilizing IMDSv1, attackers can obtain IAM credentials from the metadata service, potentially leading to complete compromise of the affected instance and broader access to cloud resources. In other deployments, attackers can access internal services reachable from the host, potentially revealing sensitive data or enabling further lateral movement within the network. There is no need to authenticate, the attacker just needs the agent to process input that triggers a <code>web_crawl</code> call to an internal address.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the provided remediation patch to <code>src/praisonai-agents/praisonaiagents/tools/web_crawl_tools.py</code> to implement URL validation before the httpx request (see Remediation section in content).</li>
<li>Deploy the Sigma rule &quot;Detect PraisonAI Agents Web Crawl Internal IP Access&quot; to identify attempts to access internal IP addresses via the vulnerable <code>web_crawl</code> tool.</li>
<li>If feasible, configure either a <code>TAVILY_API_KEY</code> or install the <code>crawl4ai</code> package to avoid triggering the vulnerable httpx fallback path.</li>
<li>Monitor network connections originating from the <code>praisonaiagents</code> application for connections to internal IP ranges, as indicated by the IOCs, using network connection logs.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ssrf</category><category>praisonai</category><category>ai-agent</category><category>cloud</category></item></channel></rss>