Doredry

**Name of the Vulnerable Software and Affected Versions** Semantic Kernel Python SDK versions prior to 1.39.4 **Description** A remote code execution issue exists within the `InMemoryVectorStore` filter functionality. The flaw occurs in the `InMemoryCollection. parse and validate filter` function, where a specially crafted `filter str` can access Python object internals, such as ` globals `, allowing an attacker to escalate a prompt injection into arbitrary code execution. **Recommendations** Update Semantic Kernel Python SDK to version 1.39.4 or later. As a temporary workaround, avoid using `InMemoryVectorStore` for production scenarios.

**Name of the Vulnerable Software and Affected Versions** Pydantic AI versions 1.34.0 through 1.50.9 **Description** Pydantic AI contains a path traversal issue in its web UI. A crafted URL can be used by an attacker to serve arbitrary JavaScript within the application's context. This allows execution of attacker-controlled code in the victim's browser, potentially leading to theft of chat history and session cookies. The issue arises because the CDN URL is constructed using a non-validated `version` query parameter from the request URL, enabling path traversal sequences. This vulnerability affects applications utilizing `Agent.to web` or `clai web` to serve a chat interface, which may be running locally or on a remote server. **Recommendations** Upgrade to version 1.51.0 or later to remove the user-controllable `version` parameter and prevent the vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Semantic Kernel .NET SDK versions prior to 1.71.0 Agent Framework version 1.0 **Description** An arbitrary file write issue exists within the `SessionsPythonPlugin` of the .NET SDK. This flaw can be chained with path traversal and insecure automated optimizations to achieve remote code execution (RCE). The problem arises from a trust gap where stochastic LLM output is treated as high-privilege system commands when `AutoInvokeKernelFunctions` is enabled, failing to effectively validate tool calls. Attackers can bypass security filters using JSON type confusion, Base64/URL encoding, or Unicode homoglyphs to overwrite the application's own source code, such as `Program.cs`, leading to full host takeover. The issue specifically involves the `DownloadFileAsync()` and `UploadFileAsync()` functions and the `localFilePath` variable. **Recommendations** For Microsoft Semantic Kernel .NET SDK versions prior to 1.71.0, update to version 1.71.0 or higher. For Agent Framework version 1.0, disable `ToolCallBehavior.AutoInvokeKernelFunctions` and switch to manual function invocation. As a temporary mitigation, implement a Function Invocation Filter to verify that the `localFilePath` variable passed to `DownloadFileAsync()` or `UploadFileAsync()` is allow listed and anchored to a safe root.

**Name of the Vulnerable Software and Affected Versions** Pydantic AI versions 0.0.26 through 1.55.9 **Description** A Server-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI's URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users, such as those using `Agent.to web`, `clai web`, `VercelAIAdapter`, `AGUIAdapter`, or `Agent.to ag ui`, or custom APIs that accept message history from user input. The `download item()` helper function downloads content from URLs without validating that the target is a public internet address. Attackers can potentially access internal services, steal cloud credentials, or scan internal networks. Multiple model integrations download URL content in certain conditions, including `OpenAIChatModel`, `AnthropicModel`, `GoogleModel`, `XaiModel`, `BedrockConverseModel`, and `OpenRouterModel`. **Recommendations** Upgrade to version 1.56.0 or later. If a project cannot upgrade immediately, use a history processor to filter out URLs targeting local/private addresses.