{"id":"GHSA-44c2-3rw4-5gvh","summary":"PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL","details":"### Summary\n\n`FileTools.download_file()` in `praisonaiagents` validates the destination path but performs no validation on the `url` parameter, passing it directly to `httpx.stream()` with `follow_redirects=True`. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services.\n\n### Details\n\n`file_tools.py:259` (source) -\u003e `file_tools.py:296` (sink)\n```python\n# source -- url taken directly from caller, no validation\ndef download_file(self, url: str, destination: str, ...):\n\n# sink -- unvalidated url passed to httpx with redirect following\n    with httpx.stream(\"GET\", url, timeout=timeout, follow_redirects=True) as response:\n```\n\n### PoC\n```bash\n# tested on: praisonaiagents==1.5.87 (source install)\n# install: pip install -e src/praisonai-agents\n# start listener: python3 -m http.server 8888\n\nimport os\nos.environ['PRAISONAI_AUTO_APPROVE'] = 'true'\nfrom praisonaiagents.tools.file_tools import download_file\n\nresult = download_file(\n    url=\"http://127.0.0.1:8888/ssrf-test\",\n    destination=\"/tmp/ssrf_out.txt\"\n)\nprint(result)\n# listener logs: \"GET /ssrf-test HTTP/1.1\" 404\n# on EC2 with IMDSv1: url=\"http://169.254.169.254/latest/meta-data/iam/security-credentials/\"\n# writes IAM credentials to destination file\n```\n\n### Impact\n\nOn cloud infrastructure with IMDSv1 enabled, an attacker can retrieve IAM credentials via the EC2 metadata service and write them to disk for subsequent agent steps to exfiltrate. `follow_redirects=True` enables open-redirect chaining to bypass partial URL filters. Reachable via indirect prompt injection with no authentication required.\n\n### Suggested Fix\n```python\nfrom urllib.parse import urlparse\nimport ipaddress\n\nBLOCKED_NETWORKS = [\n    ipaddress.ip_network(\"127.0.0.0/8\"),\n    ipaddress.ip_network(\"169.254.0.0/16\"),\n    ipaddress.ip_network(\"10.0.0.0/8\"),\n    ipaddress.ip_network(\"172.16.0.0/12\"),\n    ipaddress.ip_network(\"192.168.0.0/16\"),\n]\n\ndef _validate_url(url: str) -\u003e None:\n    parsed = urlparse(url)\n    if parsed.scheme not in (\"http\", \"https\"):\n        raise ValueError(f\"Scheme {parsed.scheme!r} not allowed\")\n    try:\n        addr = ipaddress.ip_address(parsed.hostname)\n        for net in BLOCKED_NETWORKS:\n            if addr in net:\n                raise ValueError(f\"Requests to {addr} are not permitted\")\n    except ValueError as e:\n        if \"does not appear to be\" not in str(e):\n            raise\n```","aliases":["CVE-2026-34954"],"modified":"2026-04-06T23:04:11.416566Z","published":"2026-04-01T23:27:07Z","database_specific":{"nvd_published_at":"2026-04-03T23:17:06Z","cwe_ids":["CWE-918"],"severity":"HIGH","github_reviewed":true,"github_reviewed_at":"2026-04-01T23:27:07Z"},"references":[{"type":"WEB","url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-44c2-3rw4-5gvh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34954"},{"type":"PACKAGE","url":"https://github.com/MervinPraison/PraisonAI"}],"affected":[{"package":{"name":"praisonaiagents","ecosystem":"PyPI","purl":"pkg:pypi/praisonaiagents"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.95"}]}],"versions":["0.0.1","0.0.10","0.0.100","0.0.101","0.0.102","0.0.103","0.0.104","0.0.105","0.0.106","0.0.107","0.0.108","0.0.109","0.0.11","0.0.110","0.0.111","0.0.112","0.0.113","0.0.114","0.0.115","0.0.116","0.0.117","0.0.118","0.0.119","0.0.12","0.0.120","0.0.121","0.0.122","0.0.123","0.0.124","0.0.125","0.0.126","0.0.127","0.0.128","0.0.129","0.0.13","0.0.130","0.0.131","0.0.132","0.0.133","0.0.134","0.0.135","0.0.136","0.0.137","0.0.138","0.0.139","0.0.14","0.0.140","0.0.141","0.0.142","0.0.143","0.0.144","0.0.145","0.0.146","0.0.147","0.0.148","0.0.149","0.0.15","0.0.150","0.0.151","0.0.152","0.0.153","0.0.154","0.0.155","0.0.156","0.0.157","0.0.158","0.0.159","0.0.16","0.0.160","0.0.161","0.0.162","0.0.163","0.0.164","0.0.165","0.0.166","0.0.167","0.0.168","0.0.169","0.0.17","0.0.170","0.0.171","0.0.172","0.0.173","0.0.174","0.0.175","0.0.176","0.0.177","0.0.178","0.0.179","0.0.18","0.0.180","0.0.181","0.0.182","0.0.183","0.0.184","0.0.185","0.0.187","0.0.188","0.0.189","0.0.19","0.0.190","0.0.191","0.0.192","0.0.193","0.0.194","0.0.195","0.0.196","0.0.197","0.0.198","0.0.199","0.0.2","0.0.20","0.0.21","0.0.22","0.0.23","0.0.24","0.0.25","0.0.26","0.0.27","0.0.28","0.0.29","0.0.3","0.0.30","0.0.31","0.0.32","0.0.33","0.0.34","0.0.35","0.0.36","0.0.37","0.0.38","0.0.39","0.0.4","0.0.40","0.0.41","0.0.42","0.0.43","0.0.44","0.0.45","0.0.46","0.0.47","0.0.48","0.0.49","0.0.5","0.0.50","0.0.51","0.0.52","0.0.53","0.0.54","0.0.56","0.0.57","0.0.58","0.0.59","0.0.6","0.0.60","0.0.61","0.0.62","0.0.63","0.0.64","0.0.65","0.0.66","0.0.67","0.0.68","0.0.69","0.0.7","0.0.70","0.0.71","0.0.72","0.0.73","0.0.74","0.0.75","0.0.76","0.0.77","0.0.78","0.0.79","0.0.8","0.0.80","0.0.81","0.0.82","0.0.83","0.0.84","0.0.85","0.0.86","0.0.87","0.0.88","0.0.89","0.0.9","0.0.90","0.0.91","0.0.92","0.0.93","0.0.94","0.0.95","0.0.96","0.0.97","0.0.98","0.0.99","0.1.0","0.1.1","0.1.10","0.1.11","0.1.12","0.1.13","0.1.14","0.1.15","0.1.16","0.1.17","0.1.18","0.1.19","0.1.2","0.1.20","0.1.21","0.1.22","0.1.23","0.1.24","0.1.25","0.1.26","0.1.27","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.10.0","0.10.1","0.10.10","0.10.2","0.10.3","0.10.4","0.10.5","0.10.6","0.10.7","0.10.8","0.10.9","0.11.0","0.11.1","0.11.10","0.11.11","0.11.12","0.11.13","0.11.14","0.11.15","0.11.16","0.11.17","0.11.18","0.11.19","0.11.2","0.11.20","0.11.21","0.11.22","0.11.23","0.11.24","0.11.25","0.11.27","0.11.28","0.11.29","0.11.3","0.11.30","0.11.31","0.11.4","0.11.5","0.11.6","0.11.7","0.11.8","0.11.9","0.12.0","0.12.1","0.12.10","0.12.11","0.12.12","0.12.13","0.12.14","0.12.15","0.12.16","0.12.17","0.12.18","0.12.19","0.12.2","0.12.20","0.12.21","0.12.3","0.12.4","0.12.5","0.12.6","0.12.7","0.12.8","0.12.9","0.13.0","0.13.1","0.13.10","0.13.11","0.13.12","0.13.13","0.13.14","0.13.15","0.13.16","0.13.17","0.13.18","0.13.19","0.13.2","0.13.20","0.13.21","0.13.22","0.13.23","0.13.3","0.13.4","0.13.5","0.13.6","0.13.7","0.13.8","0.13.9","0.14.0","0.14.1","0.14.10","0.14.11","0.14.12","0.14.14","0.14.15","0.14.16","0.14.2","0.14.3","0.14.4","0.14.5","0.14.6","0.14.7","0.14.8","0.14.9","0.15.0","0.15.1","0.15.2","0.15.3","0.2.0","0.2.1","0.2.2","0.3.0","0.3.1","0.3.2","0.3.3","0.3.4","0.4.0","0.4.1","0.5.0","0.5.1","0.5.2","0.5.3","0.6.0","0.6.1","0.6.2","0.6.3","0.6.4","0.6.5","0.6.6","0.6.7","0.6.8","0.7.0","0.7.1","0.8.0","0.8.1","0.9.0","0.9.1","1.0.0","1.1.0","1.2.0","1.2.1","1.2.2","1.2.3","1.2.4","1.3.0","1.3.1","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.5.0","1.5.1","1.5.10","1.5.11","1.5.12","1.5.13","1.5.14","1.5.15","1.5.16","1.5.17","1.5.18","1.5.19","1.5.2","1.5.20","1.5.21","1.5.22","1.5.23","1.5.24","1.5.25","1.5.26","1.5.27","1.5.28","1.5.29","1.5.3","1.5.30","1.5.31","1.5.32","1.5.33","1.5.34","1.5.35","1.5.36","1.5.37","1.5.38","1.5.39","1.5.40","1.5.41","1.5.42","1.5.43","1.5.44","1.5.45","1.5.46","1.5.47","1.5.48","1.5.49","1.5.5","1.5.50","1.5.51","1.5.52","1.5.53","1.5.54","1.5.55","1.5.56","1.5.57","1.5.58","1.5.59","1.5.6","1.5.60","1.5.61","1.5.62","1.5.63","1.5.64","1.5.65","1.5.66","1.5.67","1.5.68","1.5.69","1.5.7","1.5.70","1.5.71","1.5.72","1.5.73","1.5.74","1.5.75","1.5.76","1.5.77","1.5.78","1.5.79","1.5.8","1.5.80","1.5.81","1.5.82","1.5.83","1.5.84","1.5.85","1.5.86","1.5.87","1.5.88","1.5.89","1.5.9","1.5.90","1.5.91","1.5.92","1.5.93","1.5.94"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-44c2-3rw4-5gvh/GHSA-44c2-3rw4-5gvh.json","last_known_affected_version_range":"\u003c= 1.5.94"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}]}