| Título | zhayujie CowAgent <= 2.1.0 Server-Side Request Forgery (CWE-918) |
|---|
| Descrição | # Technical Details
A server-side request forgery vulnerability exists in the `Vision._build_image_content` and `_download_to_data_url` methods in `agent/tools/vision/vision.py` of CowAgent.
The application accepts attacker-controlled HTTP(S) image URLs and fetches them server-side with `requests.get` without hostname/IP filtering, loopback/private-address rejection, redirect validation, or DNS pinning.
# Vulnerable Code
File: `agent/tools/vision/vision.py`
Method: Vision tool schema / image parameter handling
Why: The tool explicitly accepts a user-controlled `image` parameter that may be a local file path or HTTP(S) URL.
File: `agent/tools/vision/vision.py`
Method: `_build_image_content`
Why: The method routes values beginning with `http://` or `https://` into `_download_to_data_url(image)`.
File: `agent/tools/vision/vision.py`
Method: `_download_to_data_url`
Why: The method performs `requests.get(url, timeout=30)` without SSRF validation.
File: `channel/web/web_channel.py`
Method: `WebChannel.post_message`
Why: The normal web entry point accepts chat messages and forwards them into the agent/tool-dispatch path, making the vision fetch reachable from web chat.
# Reproduction
1. Run CowAgent `<= 2.1.0` with the web channel and agent tool workflow enabled.
2. Start a loopback HTTP server serving an image such as `http://127.0.0.1:<port>/secret.png`.
3. Send a web chat message through `POST /message` that causes the agent to invoke `vision(image=http://127.0.0.1:<port>/secret.png, question=describe)`.
4. Observe that the loopback server receives an HTTP GET from the CowAgent process.
5. Confirm application logs show the real `vision(...)` tool invocation.
6. Run a control using a local file path and confirm it does not trigger the same remote HTTP request.
# Impact
- Attackers can make the CowAgent host issue HTTP requests to loopback-only services.
- Attackers can probe private-network HTTP endpoints reachable from the deployment host or container.
- Internal unauthenticated image/static endpoints may be retrieved from the host's network position. |
|---|
| Fonte | ⚠️ https://github.com/zhayujie/CowAgent/issues/2872 |
|---|
| Utilizador | Eric-x (UID 94869) |
|---|
| Submissão | 09/06/2026 16h45 (há 1 mês) |
|---|
| Moderação | 09/07/2026 20h38 (1 month later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 377273 [zhayujie CowAgent até 2.1.1 Vision Tool vision.py _build_image_content/_download_to_data_url image Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|