提出 #777645: letta-ai letta 0.16.4 CWE-918情報

タイトル	letta-ai letta 0.16.4 CWE-918
説明	# Technical Details An SSRF / Arbitrary File Read vulnerability exists in the _convert_message_create_to_message() function in letta/helpers/message_helper.py (lines 125-136) of Letta. This is an incomplete fix for commit 90f3ab91. The application explicitly handles file:// URLs in ImageContent processing without any URL scheme validation. When a user sends a message with ImageContent containing source.type = "url", the server opens and reads the file directly from the filesystem, base64-encodes it, and passes it to the LLM. Commit 90f3ab91 added scheme validation to fetch_webpage() in builtin_tool_executor.py, but missed applying the same fix to message_helper.py. # Vulnerable Code File: letta/helpers/message_helper.py (lines 125-136) Method: _convert_message_create_to_message() Why: Explicitly handles file:// URLs with open(file_path, "rb").read() - reads any file the server process can access without URL scheme validation. File: letta/helpers/message_helper.py (lines 173-176) Method: _resolve_url_to_base64() Why: Same file:// URL handling without scheme validation - a second vulnerable code path. # Reproduction 1. Deploy Letta v0.16.4 via Docker (docker compose -f dev-compose.yaml up). 2. Create an agent via POST /v1/agents/. 3. Send a message with ImageContent containing file:///etc/passwd as the image URL via POST /v1/agents/{id}/messages. 4. The server reads /etc/passwd, base64-encodes it, and passes it to the LLM. 5. For /proc/1/environ, the server reads ALL environment variables including OPENAI_API_KEY, database passwords, etc. # Impact - Arbitrary file read from the server's filesystem. - Credential theft: OPENAI_API_KEY, ANTHROPIC_API_KEY, LETTA_PG_PASSWORD from /proc/1/environ. - Privilege escalation from "send messages" to "read any file on the server."
ソース	⚠️ https://gist.github.com/YLChen-007/fde4d5ed6ac4aa876f73f8954c6214da
ユーザー	Eric-z (UID 95890)
送信	2026年03月11日 14:41 (18 日 ago)
モデレーション	2026年03月27日 09:23 (16 days later)
ステータス	承諾済み
VulDBエントリ	353841 [letta-ai letta 0.16.4 File URL message_helper.py _convert_message_create_to_message ImageContent 特権昇格]
ポイント	20

◂ 前概要次 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!