提交 #777645: letta-ai letta 0.16.4 CWE-918信息

标题	letta-ai letta 0.16.4 CWE-918
描述	# Technical Details An SSRF / Arbitrary File Read vulnerability exists in the _convert_message_create_to_message() function in letta/helpers/message_helper.py (lines 125-136) of Letta. This is an incomplete fix for commit 90f3ab91. The application explicitly handles file:// URLs in ImageContent processing without any URL scheme validation. When a user sends a message with ImageContent containing source.type = "url", the server opens and reads the file directly from the filesystem, base64-encodes it, and passes it to the LLM. Commit 90f3ab91 added scheme validation to fetch_webpage() in builtin_tool_executor.py, but missed applying the same fix to message_helper.py. # Vulnerable Code File: letta/helpers/message_helper.py (lines 125-136) Method: _convert_message_create_to_message() Why: Explicitly handles file:// URLs with open(file_path, "rb").read() - reads any file the server process can access without URL scheme validation. File: letta/helpers/message_helper.py (lines 173-176) Method: _resolve_url_to_base64() Why: Same file:// URL handling without scheme validation - a second vulnerable code path. # Reproduction 1. Deploy Letta v0.16.4 via Docker (docker compose -f dev-compose.yaml up). 2. Create an agent via POST /v1/agents/. 3. Send a message with ImageContent containing file:///etc/passwd as the image URL via POST /v1/agents/{id}/messages. 4. The server reads /etc/passwd, base64-encodes it, and passes it to the LLM. 5. For /proc/1/environ, the server reads ALL environment variables including OPENAI_API_KEY, database passwords, etc. # Impact - Arbitrary file read from the server's filesystem. - Credential theft: OPENAI_API_KEY, ANTHROPIC_API_KEY, LETTA_PG_PASSWORD from /proc/1/environ. - Privilege escalation from "send messages" to "read any file on the server."
来源	⚠️ https://gist.github.com/YLChen-007/fde4d5ed6ac4aa876f73f8954c6214da
用户	Eric-z (UID 95890)
提交	2026-03-11 14時41分 (18 日前)
管理	2026-03-27 09時23分 (16 days later)
状态	已接受
VulDB条目	353841 [letta-ai letta 0.16.4 File URL message_helper.py _convert_message_create_to_message ImageContent 权限提升]
积分	20

◂ 上一步一览下一步 ▸

Do you know our Splunk app?

Download it now for free!