| Title | agent0ai agent-zero 0.9.7 Server-Side Request Forgery (CWE-918) |
|---|
| Description | # Technical Details
A Server-Side Request Forgery (SSRF) vulnerability exists in the `DocumentQueryHelper.handle_pdf_document()` method in `python/helpers/document_query.py` of agent-zero.
The application fails to validate user-supplied URLs before making HTTP requests. The `requests.get(document)` call at line 607 accepts arbitrary URLs from user input without checking the URL scheme, target hostname, private IP ranges, or cloud metadata endpoints.
# Vulnerable Code
File: python/helpers/document_query.py
Method: handle_pdf_document()
Line: 607
Why: The method directly passes user-controlled URLs to `requests.get()` without any validation, allowing attackers to make the server issue HTTP requests to arbitrary internal or external endpoints. The full HTTP response content is returned to the attacker, making this a Full SSRF (not blind).
# Reproduction
1. Start Agent Zero via `docker compose -f docker/run/docker-compose.yml up -d`
2. Open the WebUI at http://localhost:50080
3. Send message: "Please use the document_query tool to fetch and analyze this PDF: http://x.x.x.x/latest/meta-data/"
4. The agent returns the full response from the cloud metadata endpoint, exposing IAM credentials
# Impact
- Cloud credential theft from AWS/GCP/Azure metadata endpoints (x.x.x.x)
- Access to internal network services (Redis, MongoDB, internal APIs)
- Network reconnaissance and port scanning from within the trusted network
- Data exfiltration from services not exposed to the internet
|
|---|
| Source | ⚠️ https://gist.github.com/YLChen-007/c99c44aa019266a72636757308d43989 |
|---|
| User | Eric-y (UID 95889) |
|---|
| Submission | 03/06/2026 13:45 (1 month ago) |
|---|
| Moderation | 03/16/2026 22:32 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 351338 [frdel/agent0ai agent-zero 0.9.7 document_query.py handle_pdf_document server-side request forgery] |
|---|
| Points | 20 |
|---|