| tiêu đề | poco-ai poco-agent 0.5.4 Server-Side Request Forgery / SSRF (CWE-918) |
|---|
| Mô tả | # Technical Details
An unauthenticated Server-Side Request Forgery (SSRF) exists in the `run_task` method in `executor/app/api/v1/task.py` of poco-agent.
The executor accepts an untrusted `callback_url` in `POST /v1/tasks/execute` and later performs a server-side HTTP POST to that exact destination without any allowlist or SSRF validation (no rejection of loopback, RFC1918, link-local, or metadata targets).
# Vulnerable Code
File: executor/app/api/v1/task.py
Method: run_task (POST /v1/tasks/execute)
Why: Uses `req.callback_url` directly to construct `CallbackClient` and derive additional base URLs via `UserInputClient.resolve_base_url()` without any destination validation.
File: executor/app/core/callback.py
Method: CallbackClient.send
Why: Issues an `httpx` POST to `self.callback_url` with no destination allowlisting, IP restriction, or network safety checks. The callback payload includes run/session metadata and agent status messages.
File: executor/app/core/user_input.py
Method: UserInputClient.resolve_base_url
Why: Derives additional outbound client base URLs from the same untrusted callback coordinate, expanding the SSRF blast radius.
# Reproduction
1. Start the real executor on 127.0.0.1:18180 and a canary callback listener on 127.0.0.1:18181.
2. Send POST /v1/tasks/execute with `callback_url=http://127.0.0.1:18181/api/v1/callback?canary=poco-executor-callback-url-ssrf`.
3. Observe that the canary listener receives a server-side POST from the executor host containing callback data.
4. Confirm that omitting `callback_url` causes the API to reject with HTTP 422, showing this field is the required trigger.
# Impact
- Trigger outbound HTTP requests from the executor host to loopback services.
- Probe or interact with internal HTTP services reachable from the executor network.
- Target cloud metadata endpoints if the executor runs in a cloud environment.
- Receive callback payload data including run/session metadata and agent status messages. |
|---|
| Nguồn | ⚠️ https://github.com/poco-ai/poco-claw/issues/138 |
|---|
| Người dùng | Erichen (UID 98955) |
|---|
| Đệ trình | 12/06/2026 10:35 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 17/07/2026 07:44 (1 month later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 379758 [poco-ai poco-claw đến 0.5.4 task.py run_task callback_url nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|