PraisonAI Unvalidated API Base Parameter in Passthrough Functions Allows SSRF Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in PraisonAI versions prior to 4.5.90. The issue arises in the passthrough() and apassthrough() functions, where a caller-controlled api_base parameter is concatenated with the endpoint and sent directly to httpx.Client.request(). This occurs when the litellm primary path encounters an AttributeError. The vulnerability exists because there is no validation of the URL scheme, no filtering of private IP addresses, and no domain allowlist, enabling requests to any host accessible from the server.

Impact

Exploitation of this vulnerability allows for server-side request forgery, with the potential to access internal services or metadata. On cloud platforms like AWS, this could lead to the exposure of sensitive information such as IAM credentials.

Reproduction

The vulnerability can be reproduced by calling the passthrough() function with a crafted api_base parameter that points to a reachable host. When the function is executed, it will send a request to the specified host without any validation, demonstrating the SSRF vulnerability.

Remediation

Users are advised to update to PraisonAI version 4.5.90 or later, where this vulnerability has been patched.