FoundationAgents MetaGPT Server-Side Request Forgery Vulnerability in Image Decoding Function

A server-side request forgery (SSRF) vulnerability has been identified in FoundationAgents MetaGPT versions through 0.8.1. The issue arises in the 'decode_image' function within 'metagpt/utils/common.py', where the function improperly validates image URLs before fetching them. This flaw allows attackers to manipulate the 'img_url_or_b64' argument, leading the server to make unauthorized requests to internal resources or cloud metadata endpoints. The vulnerability can be exploited remotely, and an exploit is publicly available.

Impact

Exploitation of this vulnerability allows for semi-blind SSRF, where an attacker can cause the server to make requests to internal services or cloud metadata endpoints, potentially leading to unauthorized access or manipulation of data. While the response from these requests is filtered through 'Image.open()', which rejects non-image content, attackers can still use timing analysis or DNS-based exfiltration techniques to extract information.

Reproduction

The vulnerability can be reproduced by injecting a crafted image URL into the 'decode_image' function. This can be done through LLM prompt injection or by manipulating API responses to include internal URLs. Once the 'decode_image' function is called with the crafted URL, the server will make a request to the internal resource, bypassing firewall restrictions and exposing sensitive information.

Remediation

Users are advised to update to the patched version of MetaGPT, which includes proper URL validation to prevent SSRF vulnerabilities. The latest version can be downloaded from the MetaGPT GitHub repository.