GHSA-q9pw-vmhh-384g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q9pw-vmhh-384g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-q9pw-vmhh-384g/GHSA-q9pw-vmhh-384g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q9pw-vmhh-384g
- Aliases
-
- CVE-2026-44335
- Published
- 2026-05-06T22:08:11Z
- Modified
- 2026-05-12T17:09:27.390633Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- PraisonAI has an SSRF bypass
- Details
-
Summary
The URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks.
Details
The current PraisonAI project uses validateurl to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by urlparse to prevent SSRF attacks.
<img width="1290" height="1145" alt="QQ20260424-151256-24-1" src="https://github.com/user-attachments/assets/d5f16b74-5ad2-444f-8600-b05f78a4b769" />
However, there are indeed differences in parsing between urlparse and the library that actually sends the request. Currently, almost all application scenarios in this project involve first using validateurl for URL validation, and then using getsession().get to send the request.
<img width="1143" height="740" alt="QQ20260424-151437-24-2" src="https://github.com/user-attachments/assets/b1bf6ec2-d32a-4dac-b814-da819e8d3c83" />
In reality, its underlying mechanism is requests.get.
<img width="1042" height="576" alt="QQ20260424-151645-24-3" src="https://github.com/user-attachments/assets/e17352c3-4205-44d6-ab6e-75566480215b" />
The core issue:
urlparse()andrequestsdisagree on which host a URL likehttp://127.0.0.1:6666\@1.1.1.1points to:urlparse()treats\as a regular character and@as the userinfo-host delimiter, so it extracts hostname as1.1.1.1(public)requeststreats\as a path character, connecting to127.0.0.1(internal)
Below is a test code I wrote following the code.
import sys from pathlib import Path from pprint import pprint sys.path.insert(0, str(Path(r"D:/BaiduNetdiskDownload/PraisonAI-main/PraisonAI-main/src/praisonai-agents"))) from praisonaiagents.tools import spider_tools # url = "http://127.0.0.1:6666\@1.1.1.1" url = "http://127.0.0.1:6666" result = spider_tools.scrape_page(url) if isinstance(result, dict) and "error" in result: print("scrape failed:", result["error"]) else: pprint(result)When an attacker uses
http://127.0.0.1:6666/, the existing detection logic can detect that this is an internal network address and block it.<img width="1068" height="128" alt="QQ20260424-152007-24-4" src="https://github.com/user-attachments/assets/294bff10-2af6-4960-bf69-dbf3340b1e9b" />
However, when an attacker uses
http://127.0.0.1:6666\@1.1.1.1, the detection logic resolves the host to1.1.1.1, which is a public IP address, thus passing the verification. But in the actual request process, this URL is forwarded by requests.get tohttp://127.0.0.1:6666, bypassing the detection and achieving an SSRF attack.<img width="2089" height="324" alt="QQ20260424-152123-24-5" src="https://github.com/user-attachments/assets/4421ce42-e47b-48de-a97a-56ce56a2bbc9" />
PoC
http://127.0.0.1:6666\@1.1.1.1Impact
SSRF
- Database specific
{ "github_reviewed_at": "2026-05-06T22:08:11Z", "github_reviewed": true, "cwe_ids": [ "CWE-918" ], "nvd_published_at": "2026-05-08T14:16:46Z", "severity": "HIGH" }- References
Affected packages
PyPI / praisonaiagents
Package
- Name
- praisonaiagents
- View open source insights on deps.dev
- Purl
- pkg:pypi/praisonaiagents
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.6.32