PraisonAI Agents Web Crawl Internal Network Access Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in PraisonAI Agents versions prior to 1.5.128. The issue arises in the web_crawl tool's httpx fallback path, which passes user-supplied URLs directly to httpx.AsyncClient.get() without proper validation. This flaw allows an LLM agent to crawl internal URLs and access cloud metadata endpoints, internal services, and localhost. The fetched response may be returned to the agent and could contain information visible to the attacker. This httpx fallback is the default behavior in a new PraisonAI installation, without a Tavily key or Crawl4AI.

Impact

Exploitation of this vulnerability allows access to internal network services and cloud metadata endpoints, potentially exposing sensitive information such as IAM credentials on AWS.

Reproduction

The vulnerability can be reproduced by creating an agent with the web_crawl tool and instructing it to fetch content from a private IP address, such as the cloud metadata service on AWS. The response will include sensitive information, demonstrating the SSRF vulnerability.

Remediation

Users are advised to update to PraisonAI Agents version 1.5.128 or later. For those using an earlier version, it is recommended to add URL validation in the web_crawl tool before making httpx requests, including checks to ensure the URL uses a valid scheme and does not point to a private or loopback address.