Listen to this Post
How the CVE Works (around 20 lines):
The vulnerability stems from a logical flaw in PraisonAI’s URL validation. The `_validate_url` function uses Python’s `urlparse` to extract the hostname and block internal addresses (e.g., 127.0.0.1). However, the actual HTTP request is sent using requests.get. A discrepancy exists in how backslash (\) and at-sign (@) are parsed. `urlparse` treats `\` as a regular character and `@` as a delimiter for userinfo, thus parsing http://127.0.0.1:6666\@1.1.1.1` as host `1.1.1.1` (public). In contrast, `requests` interprets `\` as a path character, ignoring it and connecting to `127.0.0.1:6666` (internal). The validation passes because the extracted host is public, but the request goes to the internal IP, enabling Server-Side Request Forgery (SSRF). An attacker can craft a URL likehttp://127.0.0.1:6666\@1.1.1.1` to bypass checks. The test code provided by researchers confirms the behavior: `scrape_page(url)` returns an error when hitting a blocked internal IP, but the bypassed URL succeeds in reaching the internal host. The root cause is inconsistent URL parsing between `urlparse` and the `requests` library. No official CVE ID has been assigned yet. The attack requires no privileges, only a crafted URL. Impact includes internal network scanning, accessing metadata endpoints, and exploiting internal services.
dailycve form:
Platform: PraisonAI
Version: Unspecified (latest)
Vulnerability: SSRF bypass
Severity: Medium
date: 2026-05-06
Prediction: Patch within 30d
Analytics under heading What Undercode Say:
Test the discrepancy manually
python -c "from urllib.parse import urlparse; print(urlparse('http://127.0.0.1:6666\\@1.1.1.1').hostname)"
Output: 1.1.1.1
python -c "import requests; print(requests.Request('GET', 'http://127.0.0.1:6666\\@1.1.1.1').prepare().url)"
Output: http://127.0.0.1:6666/@1.1.1.1 (connects to 127.0.0.1)
Proof of concept using PraisonAI spider_tools from praisonaiagents.tools import spider_tools url = "http://127.0.0.1:6666\\@1.1.1.1" result = spider_tools.scrape_page(url) print(result) Accesses internal host despite validation
Exploit:
Send HTTP request with URL: http://127.0.0.1:6666\@1.1.1.1` to any endpoint that accepts user-supplied URLs (e.g., scraping, fetching). The validation sees1.1.1.1, but `requests.get` connects to127.0.0.1:6666, allowing internal service interaction (e.g., metadata API, localhost services).urllib3.util.parse_url
<h2 style="color: blue;">Protection from this CVE:</h2>
Replace `urlparse` with `requests.utils.urlparse` or normalize URLs by removing backslashes before validation. Use a unified parser (e.g.,). Implement a whitelist of allowed hostnames and reject any URL with ambiguous characters (`, @, “). Update `_validate_url` to canonicalize the URL with the same library used for requests.
Impact:
SSRF enables internal port scanning, access to cloud metadata (e.g., AWS IMDS at 169.254.169.254), reading local files via internal services, pivoting to internal networks, and bypassing firewall restrictions. Attackers may also exploit internal APIs with no authentication.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
