| Titel | zhayujie CowAgent <= 2.1.0 Server-Side Request Forgery (CWE-918) |
|---|
| Beschreibung | # Technical Details
A server-side request forgery vulnerability exists in the `Vision._build_image_content` and `_download_to_data_url` methods in `agent/tools/vision/vision.py` of CowAgent.
The application accepts attacker-controlled HTTP(S) image URLs and fetches them server-side with `requests.get` without hostname/IP filtering, loopback/private-address rejection, redirect validation, or DNS pinning.
# Vulnerable Code
File: `agent/tools/vision/vision.py`
Method: Vision tool schema / image parameter handling
Why: The tool explicitly accepts a user-controlled `image` parameter that may be a local file path or HTTP(S) URL.
File: `agent/tools/vision/vision.py`
Method: `_build_image_content`
Why: The method routes values beginning with `http://` or `https://` into `_download_to_data_url(image)`.
File: `agent/tools/vision/vision.py`
Method: `_download_to_data_url`
Why: The method performs `requests.get(url, timeout=30)` without SSRF validation.
File: `channel/web/web_channel.py`
Method: `WebChannel.post_message`
Why: The normal web entry point accepts chat messages and forwards them into the agent/tool-dispatch path, making the vision fetch reachable from web chat.
# Reproduction
1. Run CowAgent `<= 2.1.0` with the web channel and agent tool workflow enabled.
2. Start a loopback HTTP server serving an image such as `http://127.0.0.1:<port>/secret.png`.
3. Send a web chat message through `POST /message` that causes the agent to invoke `vision(image=http://127.0.0.1:<port>/secret.png, question=describe)`.
4. Observe that the loopback server receives an HTTP GET from the CowAgent process.
5. Confirm application logs show the real `vision(...)` tool invocation.
6. Run a control using a local file path and confirm it does not trigger the same remote HTTP request.
# Impact
- Attackers can make the CowAgent host issue HTTP requests to loopback-only services.
- Attackers can probe private-network HTTP endpoints reachable from the deployment host or container.
- Internal unauthenticated image/static endpoints may be retrieved from the host's network position. |
|---|
| Quelle | ⚠️ https://github.com/zhayujie/CowAgent/issues/2872 |
|---|
| Benutzer | Eric-x (UID 94869) |
|---|
| Einreichung | 09.06.2026 16:45 (vor 1 Monat) |
|---|
| Moderieren | 09.07.2026 20:38 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 377273 [zhayujie CowAgent bis 2.1.1 Vision Tool vision.py _build_image_content/_download_to_data_url image erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|