제출 #853103: zhayujie CowAgent <= 2.1.0 Server-Side Request Forgery (CWE-918)정보

제목zhayujie CowAgent <= 2.1.0 Server-Side Request Forgery (CWE-918)
설명# Technical Details A server-side request forgery vulnerability exists in the `Vision._build_image_content` and `_download_to_data_url` methods in `agent/tools/vision/vision.py` of CowAgent. The application accepts attacker-controlled HTTP(S) image URLs and fetches them server-side with `requests.get` without hostname/IP filtering, loopback/private-address rejection, redirect validation, or DNS pinning. # Vulnerable Code File: `agent/tools/vision/vision.py` Method: Vision tool schema / image parameter handling Why: The tool explicitly accepts a user-controlled `image` parameter that may be a local file path or HTTP(S) URL. File: `agent/tools/vision/vision.py` Method: `_build_image_content` Why: The method routes values beginning with `http://` or `https://` into `_download_to_data_url(image)`. File: `agent/tools/vision/vision.py` Method: `_download_to_data_url` Why: The method performs `requests.get(url, timeout=30)` without SSRF validation. File: `channel/web/web_channel.py` Method: `WebChannel.post_message` Why: The normal web entry point accepts chat messages and forwards them into the agent/tool-dispatch path, making the vision fetch reachable from web chat. # Reproduction 1. Run CowAgent `<= 2.1.0` with the web channel and agent tool workflow enabled. 2. Start a loopback HTTP server serving an image such as `http://127.0.0.1:<port>/secret.png`. 3. Send a web chat message through `POST /message` that causes the agent to invoke `vision(image=http://127.0.0.1:<port>/secret.png, question=describe)`. 4. Observe that the loopback server receives an HTTP GET from the CowAgent process. 5. Confirm application logs show the real `vision(...)` tool invocation. 6. Run a control using a local file path and confirm it does not trigger the same remote HTTP request. # Impact - Attackers can make the CowAgent host issue HTTP requests to loopback-only services. - Attackers can probe private-network HTTP endpoints reachable from the deployment host or container. - Internal unauthenticated image/static endpoints may be retrieved from the host's network position.
원천⚠️ https://github.com/zhayujie/CowAgent/issues/2872
사용자
 Eric-x (UID 94869)
제출2026. 06. 09. PM 04:45 (1 월 ago)
모더레이션2026. 07. 09. PM 08:38 (1 month later)
상태수락
VulDB 항목377273 [zhayujie CowAgent 까지 2.1.1 Vision Tool vision.py _build_image_content/_download_to_data_url image 권한 상승]
포인트들20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!