frdel Agent Zero Server-Side Request Forgery Vulnerability in Document Query Tool

A server-side request forgery (SSRF) vulnerability has been identified in frdel/agent0ai agent-zero version 0.9.7. The issue arises in the document query functionality, specifically within the handle_pdf_document method of python/helpers/document_query.py. This vulnerability allows attackers to send HTTP requests to arbitrary internal or external URLs without proper validation. As a result, the full response from the requested URL is returned to the attacker, including data from internal services or cloud metadata endpoints. The vulnerability can be exploited remotely, and an exploit is publicly available.

Impact

Exploitation of this vulnerability allows for full server-side request forgery, with the potential to access internal network services, steal cloud credentials from metadata endpoints, perform network reconnaissance, and exfiltrate data from unexposed services.

Reproduction

To reproduce this vulnerability, upload the affected version of Agent Zero and ensure it is running. Then, use the document_query tool to fetch a PDF from a URL that targets an internal service or cloud metadata endpoint. The agent will return the full response, including any sensitive data such as IAM credentials.