Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the web_fetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the automatic HTTP redirect following behavior in the httpx library to bypass initial URL validation and cause the runtime to send outbound requests to internal hosts before final resolved URL validation is applied.
AnalysisAI
Server-side request forgery in Nanobot's web_fetch tool prior to v0.2.1 allows authenticated remote attackers to probe and reach internal or private network hosts by exploiting the httpx library's automatic HTTP redirect-following behavior. The attack bypasses initial URL validation by supplying a legitimate-looking external URL that responds with a 3xx redirect to a loopback or RFC-1918 address - the outbound request to the internal host is dispatched before any post-redirect validation is applied. No public exploit code exists and no CISA KEV listing is present, but the Changed Scope (S:C) in the CVSS vector indicates that successful exploitation can affect network components beyond Nanobot itself, such as internal APIs or metadata services.
Technical ContextAI
Nanobot (CPE: cpe:2.3:a:hkuds:nanobot:*:*:*:*:*:*:*:*) is an AI agent runtime developed by HKUDS that exposes a web_fetch tool enabling the agent to fetch arbitrary URLs on behalf of users. The underlying HTTP client is the Python httpx library, which follows 3xx Location redirects automatically by default. CWE-918 (Server-Side Request Forgery) describes the root cause: the application validates the user-supplied URL before issuing the request but does not re-validate or block the final destination after redirect resolution. This creates a TOCTOU-style gap - the initial URL appears safe (pointing to an attacker-controlled external host), but the 3xx redirect steers httpx to a loopback (127.0.0.1/::1) or private-range address (10.x, 172.16-31.x, 192.168.x) that would normally be rejected. Because the redirect is followed before final URL validation is applied, the request reaches the internal host and any response may be observable by the attacker through the tool's output.
RemediationAI
The primary fix is to upgrade Nanobot to v0.2.1 or later; the patch is available via the GitHub release at https://github.com/HKUDS/nanobot/releases/tag/v0.2.1 and was introduced in commit 545294c62c0947da40eb5b65288aaf02b5fdf632 (PR #3928). If an immediate upgrade is not possible, compensating controls should target the redirect-following behavior: configure the httpx client (or any HTTP client wrapping web_fetch) to disable automatic redirect following, then explicitly validate the Location header URL against an allowlist of permitted external domains before issuing a follow-up request - this eliminates the validation gap without patching. Alternatively, deploy Nanobot behind a network egress filter or HTTP proxy that blocks outbound connections to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8, ::1), and cloud metadata service addresses (169.254.169.254) - note this adds operational overhead and may break legitimate internal integrations. Restricting web_fetch tool access to only highly-trusted user roles is a further risk-reduction measure while the patch is being deployed.
Remote code execution in nanobot personal AI assistant (versions prior to 0.1.6) allows unauthenticated attackers to exe
Arbitrary file write in HKUDS Nanobot's WhatsApp bridge (versions 0.1.5.post3 and prior) allows remote unauthenticated a
Cross-Site WebSocket Hijacking in nanobot personal AI assistant (versions before 0.1.5) allows remote websites to establ
Server-side request forgery in Nanobot (HKUDS) prior to 0.2.1 lets unauthenticated remote attackers exfiltrate Microsoft
Nanobot's Matrix channel media download handler exhausts process memory and bandwidth when authenticated room members su
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33757
GHSA-434r-7c99-hwf3