CVE-2026-47390
published 2026-05-29CVE-2026-47390: PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings ### Summary PraisonAI's `spider_tools` URL validation can be bypassed using…
medium
PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings ### Summary PraisonAI's `spider_tools` URL validation can be bypassed using alternate loopback host encodings. The affected component is: ```text praisonaiagents/tools/spider_tools.py ```` The tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled URLs. However, the validation only blocks a small set of exact host strings such as `localhost` and `127.0.0.1`. It does not normalize hostnames, resolve DNS, parse numeric IPv4 variants, or validate the final resolved IP address before making the request. As a result, URLs such as the following bypass the protection and still reach loopback services: ```text http://localhost.:8765/ http://127.1:8765/ http://0177.0.0.1:8765/ http://0x7f000001:8765/ http://2130706433:8765/ ``` After the weak validation passes, `scrape_page()` calls `requests.Session.get()` on the attacker-controlled URL. This allows an attacker who can influence URLs passed to `scrape_page`, `crawl`, or `extract_text` to induce SSRF requests against loopback-only services. This is a server-side request forgery protection bypass. ### Details The affected code is in: ```text praisonaiagents/tools/spider_tools.py ``` The vulnerable flow is: ```text attacker-controlled URL -> spider_tools._validate_url(...) -> weak exact-host blocklist check -> validation passes for alternate loopback encodings -> scrape_page(...) -> requests.Session.get(attacker_url) -> loopback service is reached ``` The validation appears to block only exact local hostnames or exact IPv4 strings. For example, it blocks simple forms such as: ```text localhost 127.0.0.1 ``` However, equivalent loopback forms are not rejected before the request is made. Confirmed bypass examples: ```text http://localhost.:8765/ http://127.1:8765/ http://0177.0.0.1:8765/ http://0x7f000001:8765/ http://2130706433:8765/ ``` These values can resolve
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | >= 0 < 4.6.40 | 4.6.40 |
| mervinpraison | praisonaiagents | >= 0 < 1.6.40 | 1.6.40 |
| mervinpraison | praisonaiagents | >= 0 < 1.6.59 | 1.6.59 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS
ghsa·2026-06-18
CVE-2026-47390 [HIGH] CWE-918 praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS
praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS
# praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS
**Researcher:** Kai Aizen — SnailSploit (@SnailSploit), Adversarial & Offensive Security Research
**Target:** https://github.com/MervinPraison/PraisonAI
**Weakness:** CWE-918 Server-Side Request Forgery (SSRF).
---
## Summary
The SSRF guard shared by PraisonAI's web tools (`SpiderTools._validate_url` → `_host_is_blocked` in `praisonaiagents/tools/spider_tools.py`) inspects only **literal IP-address encodings** of the URL host. It never resolves DNS names. Any hostname whose A/AAAA record points at an internal, loopback, link-local, or cloud-metadata address passes validation and the request is issued to that target. A static inte
GHSA
PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings
ghsa·2026-05-29
CVE-2026-47390 [MEDIUM] CWE-918 PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings
PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings
### Summary
PraisonAI's `spider_tools` URL validation can be bypassed using alternate loopback host encodings.
The affected component is:
```text
praisonaiagents/tools/spider_tools.py
````
The tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled URLs. However, the validation only blocks a small set of exact host strings such as `localhost` and `127.0.0.1`.
It does not normalize hostnames, resolve DNS, parse numeric IPv4 variants, or validate the final resolved IP address before making the request.
As a result, URLs such as the following bypass the protection and still reach loopback services:
```text
http://localhost.:8765/
http://127.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-29
Published