| Название | poco-ai poco-agent 0.5.4 Server-Side Request Forgery / SSRF (CWE-918) |
|---|
| Описание | # Technical Details
An unauthenticated Server-Side Request Forgery (SSRF) exists in the `run_task` method in `executor/app/api/v1/task.py` of poco-agent.
The executor accepts an untrusted `callback_url` in `POST /v1/tasks/execute` and later performs a server-side HTTP POST to that exact destination without any allowlist or SSRF validation (no rejection of loopback, RFC1918, link-local, or metadata targets).
# Vulnerable Code
File: executor/app/api/v1/task.py
Method: run_task (POST /v1/tasks/execute)
Why: Uses `req.callback_url` directly to construct `CallbackClient` and derive additional base URLs via `UserInputClient.resolve_base_url()` without any destination validation.
File: executor/app/core/callback.py
Method: CallbackClient.send
Why: Issues an `httpx` POST to `self.callback_url` with no destination allowlisting, IP restriction, or network safety checks. The callback payload includes run/session metadata and agent status messages.
File: executor/app/core/user_input.py
Method: UserInputClient.resolve_base_url
Why: Derives additional outbound client base URLs from the same untrusted callback coordinate, expanding the SSRF blast radius.
# Reproduction
1. Start the real executor on 127.0.0.1:18180 and a canary callback listener on 127.0.0.1:18181.
2. Send POST /v1/tasks/execute with `callback_url=http://127.0.0.1:18181/api/v1/callback?canary=poco-executor-callback-url-ssrf`.
3. Observe that the canary listener receives a server-side POST from the executor host containing callback data.
4. Confirm that omitting `callback_url` causes the API to reject with HTTP 422, showing this field is the required trigger.
# Impact
- Trigger outbound HTTP requests from the executor host to loopback services.
- Probe or interact with internal HTTP services reachable from the executor network.
- Target cloud metadata endpoints if the executor runs in a cloud environment.
- Receive callback payload data including run/session metadata and agent status messages. |
|---|
| Источник | ⚠️ https://github.com/poco-ai/poco-claw/issues/138 |
|---|
| Пользователь | Erichen (UID 98955) |
|---|
| Представление | 12.06.2026 10:35 (1 месяц назад) |
|---|
| Модерация | 17.07.2026 07:44 (1 month later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 379758 [poco-ai poco-claw до 0.5.4 task.py run_task callback_url эскалация привилегий] |
|---|
| Баллы | 20 |
|---|