Submeter #777645: letta-ai letta 0.16.4 CWE-918informação

Título	letta-ai letta 0.16.4 CWE-918
Descrição	# Technical Details An SSRF / Arbitrary File Read vulnerability exists in the _convert_message_create_to_message() function in letta/helpers/message_helper.py (lines 125-136) of Letta. This is an incomplete fix for commit 90f3ab91. The application explicitly handles file:// URLs in ImageContent processing without any URL scheme validation. When a user sends a message with ImageContent containing source.type = "url", the server opens and reads the file directly from the filesystem, base64-encodes it, and passes it to the LLM. Commit 90f3ab91 added scheme validation to fetch_webpage() in builtin_tool_executor.py, but missed applying the same fix to message_helper.py. # Vulnerable Code File: letta/helpers/message_helper.py (lines 125-136) Method: _convert_message_create_to_message() Why: Explicitly handles file:// URLs with open(file_path, "rb").read() - reads any file the server process can access without URL scheme validation. File: letta/helpers/message_helper.py (lines 173-176) Method: _resolve_url_to_base64() Why: Same file:// URL handling without scheme validation - a second vulnerable code path. # Reproduction 1. Deploy Letta v0.16.4 via Docker (docker compose -f dev-compose.yaml up). 2. Create an agent via POST /v1/agents/. 3. Send a message with ImageContent containing file:///etc/passwd as the image URL via POST /v1/agents/{id}/messages. 4. The server reads /etc/passwd, base64-encodes it, and passes it to the LLM. 5. For /proc/1/environ, the server reads ALL environment variables including OPENAI_API_KEY, database passwords, etc. # Impact - Arbitrary file read from the server's filesystem. - Credential theft: OPENAI_API_KEY, ANTHROPIC_API_KEY, LETTA_PG_PASSWORD from /proc/1/environ. - Privilege escalation from "send messages" to "read any file on the server."
Fonte	⚠️ https://gist.github.com/YLChen-007/fde4d5ed6ac4aa876f73f8954c6214da
Utilizador	Eric-z (UID 95890)
Submissão	11/03/2026 14h41 (há 18 dias)
Moderação	27/03/2026 09h23 (16 days later)
Estado	Aceite
Entrada VulDB	353841 [letta-ai letta 0.16.4 File URL message_helper.py _convert_message_create_to_message ImageContent Elevação de Privilégios]
Pontos	20

◂ Voltar Visão Geral Próximo ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!