Skip to content

DNS rebinding bypass in `web_crawl` SSRF protection allows internal response disclosure

High
MervinPraison published GHSA-qg25-6gc4-48mg Jun 25, 2026

Package

pip praisonaiagents (pip)

Affected versions

<= 1.6.77

Patched versions

>= 1.6.78

Description

Summary

PraisonAI's web_crawl agent tool performs a server-side HTTP fetch of an agent/attacker-influenced URL. SSRF is meant to be prevented by _is_safe_crawl_url(), which resolves the hostname and rejects private/loopback/link-local IPs at validation time. The validated value is the URL string (not a pinned IP); the fetch backend then re-resolves the hostname at connection time. Because validation and connection perform two independent DNS resolutions, a DNS-rebinding domain that returns a public IP during validation and an internal IP during the fetch fully bypasses the guard, and the internal HTTP response body is returned to the caller.

This is SSRF with internal response disclosure (read-back) — not blind SSRF. Runtime-confirmed against PraisonAI 4.6.63; the crawl response returned the controlled internal markers PRAISONAI_INTERNAL_SECRET_CANARY_7f3a91 / FAKE_INTERNAL_TOKEN_DO_NOT_USE_7f3a91. Severity High. Reachable by any actor who can influence the URL an agent crawls (e.g. a chat/bot/agent surface).

Details

Affected component

  • Package: praisonaiagents (PraisonAI), version 4.6.63.
  • File: src/praisonai-agents/praisonaiagents/tools/web_crawl_tools.py; tool web_crawl / crawl_web (part of the default bot tool set).

Vulnerable code / root cause

Code point 1 — check-time-only DNS validation, no IP pinning

Path:
src/praisonai-agents/praisonaiagents/tools/web_crawl_tools.py

Function:
_is_safe_crawl_url

Snippet:

for info in socket.getaddrinfo(hostname, None):          # resolve at CHECK time
    ip = ipaddress.ip_address(info[4][0])
    if (ip.is_loopback or ip.is_private or ip.is_link_local
            or ip.is_multicast or ip.is_unspecified):
        return False
return True

Issue: the guard validates the hostname by resolving it once at check time. It does not pin the resolved IP and does not return/forward that IP to the HTTP client. Any later resolution can differ.

Code point 2 — guard runs, then the URL string is handed to the backend

Function:
web_crawl

Snippet:

for u in raw_url_list:
    if _is_safe_crawl_url(u):       # validate the URL string
        url_list.append(u)
...
results = _crawl_with_httpx(url_list)   # or _crawl_with_crawl4ai(url_list)

Issue: attacker-controlled input (urls) is validated as a string; the backend then fetches that string and re-resolves DNS independently of the guard. There is no shared, pinned IP between check and fetch.

Code point 3 — _crawl_with_httpx backend re-resolves (redirect re-validation does not stop rebinding)

Function:
_crawl_with_httpx

Snippet:

with httpx.Client(follow_redirects=False, timeout=30.0) as client:
    for _ in range(max_redirects + 1):
        if not _is_safe_crawl_url(current):   # re-resolves hostname (CHECK)
            raise ValueError("Redirect target failed SSRF validation")
        response = client.get(current)        # resolves AGAIN at CONNECT

Issue: even with per-hop redirect re-validation, _is_safe_crawl_url(current) and client.get(current) are two separate DNS resolutions of the same hostname. A rebinding domain answers public to the check and internal to the connect → TOCTOU bypass. No IP pinning.

Code point 4 — urllib fallback (same function), no per-hop guard

Snippet:

import urllib.request
with urllib.request.urlopen(url, timeout=30) as response:   # re-resolves + auto-follows redirects
    content = response.read().decode('utf-8', errors='ignore')

Issue: when httpx is not installed, this fallback inside _crawl_with_httpx fetches the URL and auto-follows redirects with no per-hop/per-connect validation. (Results from this function are labelled "provider": "httpx" regardless of which path runs.)

Code point 5 — crawl4ai/Chromium backend (confirmed addendum)

The crawl4ai backend (_crawl_with_crawl4aicrawler.arun(url=url), headless Chromium) is also runtime-confirmed affected (browser re-resolves DNS / follows redirects with no per-connect guard). To keep this report focused on the web_crawl SSRF guard, the backend-specific evidence is in SSRF-04_Crawl4AI_SSRF_Backend_Addendum.md.

Attack flow

  1. Attacker controls a hostname (e.g. rebind.lab) whose authoritative DNS rebinds.
  2. Lookup #1 (the guard) → a public IP → _is_safe_crawl_url() returns true.
  3. The backend re-resolves → the attacker's DNS now answers an internal/private IP (cloud metadata, loopback, internal service).
  4. The backend connects to the internal service and returns its body to the caller → internal data disclosure.

Why existing protection is bypassed

  • The guard validates the hostname, not a pinned IP; check and connect resolve independently → DNS rebinding (TOCTOU) defeats it on every backend.
  • Redirect re-validation (httpx path) re-checks the hostname but still re-resolves at connect, so it does not stop rebinding; the urllib fallback and crawl4ai backends have no per-hop guard at all.

Security boundary

The server-side fetch reaches internal/loopback/metadata services not exposed to the attacker and returns their content (CVSS Scope: Changed). Reachable wherever an agent can be induced to crawl an attacker-supplied URL (PR:L). An unauthenticated single-request path to web_crawl read-back was not found in 4.6.63 (so PR:N / Critical is not claimed).

Proof of Concept

Environment

Real PraisonAI 4.6.63 in a local Docker runtime; a controlled internal canary service (Docker-internal only, not published) returns synthetic markers; a controlled DNS responder implements rebinding for rebind.lab. No public host / real metadata / real secret. Runnable assets: PraisonAI-Runtime-Repro\runtime-files\.

Steps to reproduce

  1. Burp Repeater tab PRAI-05-01-DNS-Rebind-Trigger127.0.0.1:18080:
POST /tool/web_crawl HTTP/1.1
Host: 127.0.0.1:18080
Content-Type: application/json

{"url":"http://rebind.lab:8081/secret"}
  1. Send (PRAI-05-02-DNS-Rebind-Secret-Readback captures the response). If a send returns the "blocked" error, the rebinding DNS auto-resets (~3s) — resend.
  2. Redirect variant: PRAI-05-03-Redirect-Trigger / PRAI-05-04-Redirect-Secret-Readback send {"url":"http://redirector:8082/redirect-to-internal"}.

Expected result

A safe SSRF guard refuses destinations that resolve to internal/private IPs regardless of DNS timing or redirects, and does not return internal content.

Actual result

HTTP 200 with the internal body in the crawl result. Primary evidence is the provider: "httpx" backend returning the internal canary via DNS rebinding:

{"input_url":"http://rebind.lab:8081/secret",
 "result":{"content":"{ ... \"secret\": \"PRAISONAI_INTERNAL_SECRET_CANARY_7f3a91\", \"token\": \"FAKE_INTERNAL_TOKEN_DO_NOT_USE_7f3a91\" ... }","provider":"httpx"}}

The redirect variant returns the same internal markers via a redirect chain (provider: "httpx").

Screenshots

DNS rebinding read-back

The attacker-controlled rebind.lab URL is accepted by web_crawl, and the PraisonAI response contains the internal canary response body.

01-DNS-Rebind-Burp-Readback

DNS rebinding runtime evidence

The runtime log shows rebind.lab first resolving to an allowed/public IP during validation (guard-pass), then resolving to an internal Docker IP during the actual fetch (fetch-hit). The internal canary receives GET /secret from the PraisonAI container.

02-DNS-Rebind-DNS-Log-And-Internal-Hit

Redirect-based SSRF read-back

The attacker-controlled redirector URL is accepted by web_crawl. PraisonAI follows the redirect and returns the internal canary response body containing PRAISONAI_INTERNAL_SECRET_CANARY_7f3a91.

03-Redirect-Burp-Readback

Redirect chain runtime evidence

The controlled redirector returns 302 -> http://internal-canary:8081/secret, and the internal canary receives GET /secret, confirming that the server-side client followed the redirect into the internal network.

04-Redirect-Internal-Hit-Log

Reproduction assets

The attached archive contains the local Docker runtime used to reproduce the issue with controlled canary services only. It does not contain real secrets, real cloud metadata access, or third-party API keys.

PraisonAI-Runtime-Repro.zip

Impact

SSRF against internal/loopback/cloud-metadata endpoints with disclosure of internal HTTP responses (read-back) to the attacker. Bypasses the project's SSRF protection on every fetch backend.

Suggested remediation

  1. Resolve the host once, reject all returned records that are private/loopback/link-local/ULA/CGNAT/metadata, then connect to that exact validated IP (pin it; send the original Host). Do not let the HTTP client / browser re-resolve.
  2. Apply the same validation + IP pinning to every backend (httpx, urllib fallback, crawl4ai) and every redirect hop.
  3. Disable automatic redirect following (or cap + re-validate each hop with pinning).
  4. Treat IPv4-mapped IPv6, decimal/octal/hex IPs, and CGNAT/non-global ranges as unsafe.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CVE ID

CVE-2026-62169

Weaknesses

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. Learn more on MITRE.

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

Credits