TransformerOptimus SuperAGI Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in TransformerOptimus SuperAGI versions through 0.0.14. This issue resides within the WebScraperTool component, specifically in the 'extract_with_bs4', 'extract_with_3k', and 'extract_with_lxml' functions of 'superagi/helper/webpage_extractor.py'. The vulnerability allows authenticated users to manipulate agent goals, directing the server to make unvalidated HTTP requests to internal services, localhost, or cloud metadata endpoints. The response from these requests is then returned to the user via the agent execution feed, effectively exfiltrating internal data.

Impact

Exploitation of this vulnerability allows authenticated users to access internal services and cloud metadata, such as AWS IAM role credentials, GCP service account tokens, or Azure IMDS tokens, potentially leading to full cloud account compromise. Additionally, the vulnerability could be used to scan internal networks or access and exfiltrate data from internal APIs and services.

Reproduction

To reproduce this vulnerability, create an agent in SuperAGI with the WebScraperTool enabled and set a goal to fetch content from a cloud metadata URL, such as the AWS metadata endpoint for IAM credentials. Once the agent is executed, the fetched content will be available in the execution feed, demonstrating the SSRF vulnerability by accessing internal or metadata URLs.