PT-2026-59582 · Pypi · Praisonaiagents
Published
2026-07-13
·
Updated
2026-07-13
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Summary
The URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks.
Details
The current PraisonAI project uses validate url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by urlparse to prevent SSRF attacks.
However, there are indeed differences in parsing between urlparse and the library that actually sends the request. Currently, almost all application scenarios in this project involve first using validate url for URL validation, and then using get session().get to send the request.
In reality, its underlying mechanism is requests.get.
The core issue:
urlparse() and requests disagree on which host a URL like http://127.0.0.1:6666@1.1.1.1 points to:urlparse()treats `` as a regular character and@as the userinfo-host delimiter, so it extracts hostname as1.1.1.1(public)requeststreats `` as a path character, connecting to127.0.0.1(internal)
Below is a test code I wrote following the code.
import sys
from pathlib import Path
from pprint import pprint
sys.path.insert(0, str(Path(r"D:/BaiduNetdiskDownload/PraisonAI-main/PraisonAI-main/src/praisonai-agents")))
from praisonaiagents.tools import spider tools
# url = "http://127.0.0.1:6666@1.1.1.1"
url = "http://127.0.0.1:6666"
result = spider tools.scrape page(url)
if isinstance(result, dict) and "error" in result:
print("scrape failed:", result["error"])
else:
pprint(result)When an attacker uses
http://127.0.0.1:6666/, the existing detection logic can detect that this is an internal network address and block it.However, when an attacker uses
http://127.0.0.1:6666@1.1.1.1, the detection logic resolves the host to 1.1.1.1, which is a public IP address, thus passing the verification. But in the actual request process, this URL is forwarded by requests.get to http://127.0.0.1:6666, bypassing the detection and achieving an SSRF attack.PoC
http://127.0.0.1:6666@1.1.1.1Impact
SSRF
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Praisonaiagents