Python
CVE-2026-34954
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services.
Details
file_tools.py:259 (source) -> file_tools.py:296 (sink)
# source -- url taken directly from caller, no validation
def download_file(self, url: str, destination: str, ...):
# sink -- unvalidated url passed to httpx with redirect following
with httpx.stream("GET", url, timeout=timeout, follow_redirects=True) as response:PoC
# tested on: praisonaiagents==1.5.87 (source install)
# install: pip install -e src/praisonai-agents
# start listener: python3 -m http.server 8888
import os
os.environ['PRAISONAI_AUTO_APPROVE'] = 'true'
from praisonaiagents.tools.file_tools import download_file
result = download_file(
url="http://127.0.0.1:8888/ssrf-test",
destination="/tmp/ssrf_out.txt"
)
print(result)
# listener logs: "GET /ssrf-test HTTP/1.1" 404
# on EC2 with IMDSv1: url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
# writes IAM credentials to destination fileImpact
On cloud infrastructure with IMDSv1 enabled, an attacker can retrieve IAM credentials via the EC2 metadata service and write them to disk for subsequent agent steps to exfiltrate. follow_redirects=True enables open-redirect chaining to bypass partial URL filters. Reachable via indirect prompt injection with no authentication required.
Suggested Fix
from urllib.parse import urlparse
import ipaddress
BLOCKED_NETWORKS = [
ipaddress.ip_network("127.0.0.0/8"),
ipaddress.ip_network("169.254.0.0/16"),
ipaddress.ip_network("10.0.0.0/8"),
ipaddress.ip_network("172.16.0.0/12"),
ipaddress.ip_network("192.168.0.0/16"),
]
def _validate_url(url: str) -> None:
parsed = urlparse(url)
if parsed.scheme not in ("http", "https"):
raise ValueError(f"Scheme {parsed.scheme!r} not allowed")
try:
addr = ipaddress.ip_address(parsed.hostname)
for net in BLOCKED_NETWORKS:
if addr in net:
raise ValueError(f"Requests to {addr} are not permitted")
except ValueError as e:
if "does not appear to be" not in str(e):
raiseAnalysisAI
Server-Side Request Forgery (SSRF) in praisonaiagents allows unauthenticated remote attackers to access internal network resources and cloud metadata services. The FileTools.download_file() function passes user-controlled URLs directly to httpx.stream() with redirect following enabled, bypassing network boundaries. On AWS EC2 instances with IMDSv1, attackers can retrieve IAM credentials from the metadata service (169.254.169.254) and write them to disk. Exploitation requires no authentication (P
Technical ContextAI
This vulnerability affects the praisonaiagents Python package, an AI agent framework that provides file manipulation capabilities. The root cause is CWE-918 (Server-Side Request Forgery), a common flaw in applications that fetch remote resources without validating destination URLs. The vulnerable code path begins at file_tools.py:259 where the url parameter is accepted without validation and flows to line 296 where it's passed to httpx.stream() with follow_redirects=True enabled. The httpx library, a modern HTTP client for Python, will honor HTTP redirects, allowing attackers to chain open redirects to bypass naive URL filters. The function validates the destination filesystem path but performs zero validation on the URL scheme, hostname, or IP address. This enables attackers to target RFC 1918 private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost (127.0.0.0/8), and critically, the AWS EC2 metadata service at 169.254.169.254. Cloud metadata services expose sensitive information including IAM role credentials, instance identity documents, and user-data scripts without authentication when accessed from the instance itself.
RemediationAI
Upgrade to a patched version of praisonaiagents as soon as the maintainer releases a fix addressing the URL validation gap in FileTools.download_file(). Monitor the GitHub advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-44c2-3rw4-5gvh for patch availability announcements. Until a vendor-released patch is available, implement defense-in-depth controls: (1) Deploy network-level egress filtering to block outbound connections to RFC 1918 private ranges, localhost, and cloud metadata IP ranges (169.254.169.254 for AWS, 169.254.169.254 for GCP, 169.254.169.254 for Azure); (2) Upgrade AWS EC2 instances to require IMDSv2, which mitigates SSRF-based metadata access by requiring HTTP headers that SSRF cannot typically forge (aws ec2 modify-instance-metadata-options --instance-id i-xxx --http-tokens required); (3) Apply the suggested fix from the advisory by adding URL validation code that blocks non-HTTP(S) schemes, resolves hostnames to IP addresses, and rejects requests to blocked networks including loopback, link-local, and private ranges before passing URLs to httpx; (4) If modifying source code, disable follow_redirects or implement allowlist-based URL validation rather than blocklist approaches which are bypassable; (5) Run praisonaiagents in isolated network segments with no access to sensitive internal services; (6) Implement input validation and sanitization on any user-controlled data that flows to
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-44c2-3rw4-5gvh