letta-ai letta Server-Side Request Forgery Vulnerability in File URL Handler

A server-side request forgery (SSRF) vulnerability has been identified in letta-ai letta version 0.16.4. The issue arises in the File URL Handler component, specifically within the _convert_message_create_to_message function of letta/helpers/message_helper.py. This vulnerability allows remote exploitation by manipulating the ImageContent argument to include file:// URLs, which the server then processes without proper validation. As a result, an attacker can read arbitrary files from the server's filesystem, including sensitive environment variables and application secrets.

Impact

Exploitation of this vulnerability allows any user with API access to read arbitrary files from the server's filesystem. In multi-user or cloud deployments, this could lead to unauthorized access to sensitive information such as environment variables (including API keys and database passwords), application source code, and configuration files. This vulnerability represents a privilege escalation from normal API usage to unrestricted filesystem access, crossing a trust boundary by accessing files belonging to the server operator.

Reproduction

The vulnerability can be reproduced by deploying letta version 0.16.4 via Docker, creating an agent, and then sending a message with ImageContent that includes a file:// URL pointing to a file such as /etc/passwd or /proc/1/environ. The server will read the file, base64-encode its contents, and pass it to the language model, effectively exploiting the SSRF vulnerability.