PraisonAI WebSocket Endpoint Vulnerability Allows Unauthenticated Access to OpenAI API

A vulnerability exists in PraisonAI versions prior to 4.5.128, where the '/media-stream' WebSocket endpoint in the call module accepts connections from any client without authentication or validation of Twilio signatures. This flaw allows an unauthenticated attacker to open a session with OpenAI's Realtime API using the server's API key, without any restrictions on the number of connections, message frequency, or message size. As a result, attackers can deplete server resources and misuse the victim's OpenAI API credits.

Impact

Exploitation of this vulnerability leads to unauthorized access to OpenAI's Realtime API, causing a financial drain on the victim's API credits. Additionally, the vulnerability allows for denial-of-service conditions by exhausting server resources, which can disrupt legitimate Twilio services that rely on the affected server.

Reproduction

The vulnerability can be reproduced by connecting to the '/media-stream' WebSocket endpoint without authentication or a valid Twilio signature. Once connected, the WebSocket handler opens a session to OpenAI's Realtime API, using the server's API key. The connection can be kept alive by sending audio data, which is streamed to OpenAI and billed to the server owner. This process can be automated to open multiple concurrent connections, further increasing the resource consumption and API costs.

Remediation

Users are advised to update to PraisonAI version 4.5.128 or later. After updating, implement Twilio signature validation, connection limits, and rate limiting on the WebSocket endpoint. Also, configure the WebSocket message size limit to prevent excessive memory usage.