PraisonAIAgents Unvalidated URL Vulnerability in Web Crawl Tool Allows SSRF and Local File Read

A vulnerability in the PraisonAIAgents web crawl tool prior to version 1.5.128 allows for server-side request forgery (SSRF) and arbitrary local file reading. The issue arises because the web_crawl() function accepts URLs from AI agents without any validation, such as scheme allowlisting or hostname/IP blocklisting. This lack of validation enables an attacker to manipulate the agent into fetching cloud metadata, internal services, or local files using file:// URLs. The vulnerability is particularly concerning as it can lead to unauthorized access to sensitive information and internal resources.

Impact

Exploitation of this vulnerability could result in unauthorized access to cloud metadata, internal services, and local files, potentially leading to the exposure of sensitive information such as credentials and configuration files.

Reproduction

The vulnerability can be reproduced by prompting an AI agent to crawl a URL that exploits the lack of validation. This can be done by directly asking the agent to fetch internal URLs or by injecting a prompt into crawled content that directs the agent to access cloud metadata or internal endpoints. Once the agent follows these instructions, it can exfiltrate sensitive information, such as cloud credentials or data from local files.

Remediation

Users are advised to update to PraisonAIAgents version 1.5.128 or later, where this vulnerability has been fixed.