Отправить #856814: poco-ai poco-agent 0.5.4 Server-Side Request Forgery / SSRF (CWE-918)Информация

Названиеpoco-ai poco-agent 0.5.4 Server-Side Request Forgery / SSRF (CWE-918)
Описание# Technical Details An unauthenticated Server-Side Request Forgery (SSRF) exists in the `run_task` method in `executor/app/api/v1/task.py` of poco-agent. The executor accepts an untrusted `callback_url` in `POST /v1/tasks/execute` and later performs a server-side HTTP POST to that exact destination without any allowlist or SSRF validation (no rejection of loopback, RFC1918, link-local, or metadata targets). # Vulnerable Code File: executor/app/api/v1/task.py Method: run_task (POST /v1/tasks/execute) Why: Uses `req.callback_url` directly to construct `CallbackClient` and derive additional base URLs via `UserInputClient.resolve_base_url()` without any destination validation. File: executor/app/core/callback.py Method: CallbackClient.send Why: Issues an `httpx` POST to `self.callback_url` with no destination allowlisting, IP restriction, or network safety checks. The callback payload includes run/session metadata and agent status messages. File: executor/app/core/user_input.py Method: UserInputClient.resolve_base_url Why: Derives additional outbound client base URLs from the same untrusted callback coordinate, expanding the SSRF blast radius. # Reproduction 1. Start the real executor on 127.0.0.1:18180 and a canary callback listener on 127.0.0.1:18181. 2. Send POST /v1/tasks/execute with `callback_url=http://127.0.0.1:18181/api/v1/callback?canary=poco-executor-callback-url-ssrf`. 3. Observe that the canary listener receives a server-side POST from the executor host containing callback data. 4. Confirm that omitting `callback_url` causes the API to reject with HTTP 422, showing this field is the required trigger. # Impact - Trigger outbound HTTP requests from the executor host to loopback services. - Probe or interact with internal HTTP services reachable from the executor network. - Target cloud metadata endpoints if the executor runs in a cloud environment. - Receive callback payload data including run/session metadata and agent status messages.
Источник⚠️ https://github.com/poco-ai/poco-claw/issues/138
Пользователь
 Erichen (UID 98955)
Представление12.06.2026 10:35 (1 месяц назад)
Модерация17.07.2026 07:44 (1 month later)
Статуспринято
Запись VulDB379758 [poco-ai poco-claw до 0.5.4 task.py run_task callback_url эскалация привилегий]
Баллы20

Do you need the next level of professionalism?

Upgrade your account now!