PraisonAI Multi-Agent Teams System Unvalidated URL Vulnerability in File Download Function Allowing SSRF

A server-side request forgery (SSRF) vulnerability has been identified in the PraisonAI multi-agent teams system, specifically in the FileTools.download_file() function of the praisonaiagents package, prior to version 1.5.95. The vulnerability arises because the function validates the destination path but fails to properly validate the URL parameter. This unvalidated URL is then passed directly to httpx.stream() with follow_redirects enabled. As a result, an attacker controlling the URL can access any host reachable from the server, including cloud metadata services and internal network services. On cloud environments with IMDSv1 enabled, this could allow retrieval of sensitive IAM credentials via the EC2 metadata service.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal network services or cloud metadata services, potentially allowing an attacker to exfiltrate sensitive information such as IAM credentials from the EC2 metadata service on AWS.

Reproduction

The vulnerability can be reproduced by installing the praisonaiagents package version 1.5.87, setting the PRAISONAI_AUTO_APPROVE environment variable to true, and then calling the download_file() function with a crafted URL that points to a service accessible from the server, such as the EC2 metadata service.

Remediation

Users are advised to update to PraisonAI version 1.5.95 or later, where this vulnerability has been patched.