PT-2026-59582 · Pypi · Praisonaiagents

Published

2026-07-13

·

Updated

2026-07-13

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

The URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks.

Details

The current PraisonAI project uses validate url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by urlparse to prevent SSRF attacks.
QQ20260424-151256-24-1
However, there are indeed differences in parsing between urlparse and the library that actually sends the request. Currently, almost all application scenarios in this project involve first using validate url for URL validation, and then using get session().get to send the request.
QQ20260424-151437-24-2
In reality, its underlying mechanism is requests.get.
QQ20260424-151645-24-3
The core issue: urlparse() and requests disagree on which host a URL like http://127.0.0.1:6666@1.1.1.1 points to:
  • urlparse() treats `` as a regular character and @ as the userinfo-host delimiter, so it extracts hostname as 1.1.1.1 (public)
  • requests treats `` as a path character, connecting to 127.0.0.1 (internal)
Below is a test code I wrote following the code.
import sys
from pathlib import Path
from pprint import pprint

sys.path.insert(0, str(Path(r"D:/BaiduNetdiskDownload/PraisonAI-main/PraisonAI-main/src/praisonai-agents")))

from praisonaiagents.tools import spider tools

# url = "http://127.0.0.1:6666@1.1.1.1"
url = "http://127.0.0.1:6666"

result = spider tools.scrape page(url)

if isinstance(result, dict) and "error" in result:
  print("scrape failed:", result["error"])
else:
  pprint(result)
When an attacker uses http://127.0.0.1:6666/, the existing detection logic can detect that this is an internal network address and block it.
QQ20260424-152007-24-4
However, when an attacker uses http://127.0.0.1:6666@1.1.1.1, the detection logic resolves the host to 1.1.1.1, which is a public IP address, thus passing the verification. But in the actual request process, this URL is forwarded by requests.get to http://127.0.0.1:6666, bypassing the detection and achieving an SSRF attack.
QQ20260424-152123-24-5

PoC

http://127.0.0.1:6666@1.1.1.1

Impact

SSRF

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-2950

Affected Products

Praisonaiagents