Enviar #856814: poco-ai poco-agent 0.5.4 Server-Side Request Forgery / SSRF (CWE-918)información

Títulopoco-ai poco-agent 0.5.4 Server-Side Request Forgery / SSRF (CWE-918)
Descripción# Technical Details An unauthenticated Server-Side Request Forgery (SSRF) exists in the `run_task` method in `executor/app/api/v1/task.py` of poco-agent. The executor accepts an untrusted `callback_url` in `POST /v1/tasks/execute` and later performs a server-side HTTP POST to that exact destination without any allowlist or SSRF validation (no rejection of loopback, RFC1918, link-local, or metadata targets). # Vulnerable Code File: executor/app/api/v1/task.py Method: run_task (POST /v1/tasks/execute) Why: Uses `req.callback_url` directly to construct `CallbackClient` and derive additional base URLs via `UserInputClient.resolve_base_url()` without any destination validation. File: executor/app/core/callback.py Method: CallbackClient.send Why: Issues an `httpx` POST to `self.callback_url` with no destination allowlisting, IP restriction, or network safety checks. The callback payload includes run/session metadata and agent status messages. File: executor/app/core/user_input.py Method: UserInputClient.resolve_base_url Why: Derives additional outbound client base URLs from the same untrusted callback coordinate, expanding the SSRF blast radius. # Reproduction 1. Start the real executor on 127.0.0.1:18180 and a canary callback listener on 127.0.0.1:18181. 2. Send POST /v1/tasks/execute with `callback_url=http://127.0.0.1:18181/api/v1/callback?canary=poco-executor-callback-url-ssrf`. 3. Observe that the canary listener receives a server-side POST from the executor host containing callback data. 4. Confirm that omitting `callback_url` causes the API to reject with HTTP 422, showing this field is the required trigger. # Impact - Trigger outbound HTTP requests from the executor host to loopback services. - Probe or interact with internal HTTP services reachable from the executor network. - Target cloud metadata endpoints if the executor runs in a cloud environment. - Receive callback payload data including run/session metadata and agent status messages.
Fuente⚠️ https://github.com/poco-ai/poco-claw/issues/138
Usuario
 Erichen (UID 98955)
Sumisión2026-06-12 10:35 (hace 1 mes)
Moderación2026-07-17 07:44 (1 month later)
EstadoAceptado
Entrada de VulDB379758 [poco-ai poco-claw hasta 0.5.4 task.py run_task callback_url escalada de privilegios]
Puntos20

Do you want to use VulDB in your project?

Use the official API to access entries easily!