提交 #853103: zhayujie CowAgent <= 2.1.0 Server-Side Request Forgery (CWE-918)信息

标题zhayujie CowAgent <= 2.1.0 Server-Side Request Forgery (CWE-918)
描述# Technical Details A server-side request forgery vulnerability exists in the `Vision._build_image_content` and `_download_to_data_url` methods in `agent/tools/vision/vision.py` of CowAgent. The application accepts attacker-controlled HTTP(S) image URLs and fetches them server-side with `requests.get` without hostname/IP filtering, loopback/private-address rejection, redirect validation, or DNS pinning. # Vulnerable Code File: `agent/tools/vision/vision.py` Method: Vision tool schema / image parameter handling Why: The tool explicitly accepts a user-controlled `image` parameter that may be a local file path or HTTP(S) URL. File: `agent/tools/vision/vision.py` Method: `_build_image_content` Why: The method routes values beginning with `http://` or `https://` into `_download_to_data_url(image)`. File: `agent/tools/vision/vision.py` Method: `_download_to_data_url` Why: The method performs `requests.get(url, timeout=30)` without SSRF validation. File: `channel/web/web_channel.py` Method: `WebChannel.post_message` Why: The normal web entry point accepts chat messages and forwards them into the agent/tool-dispatch path, making the vision fetch reachable from web chat. # Reproduction 1. Run CowAgent `<= 2.1.0` with the web channel and agent tool workflow enabled. 2. Start a loopback HTTP server serving an image such as `http://127.0.0.1:<port>/secret.png`. 3. Send a web chat message through `POST /message` that causes the agent to invoke `vision(image=http://127.0.0.1:<port>/secret.png, question=describe)`. 4. Observe that the loopback server receives an HTTP GET from the CowAgent process. 5. Confirm application logs show the real `vision(...)` tool invocation. 6. Run a control using a local file path and confirm it does not trigger the same remote HTTP request. # Impact - Attackers can make the CowAgent host issue HTTP requests to loopback-only services. - Attackers can probe private-network HTTP endpoints reachable from the deployment host or container. - Internal unauthenticated image/static endpoints may be retrieved from the host's network position.
来源⚠️ https://github.com/zhayujie/CowAgent/issues/2872
用户
 Eric-x (UID 94869)
提交2026-06-09 16時45分 (1 月前)
管理2026-07-09 20時38分 (1 month later)
状态已接受
VulDB条目377273 [zhayujie CowAgent 直到 2.1.1 Vision Tool vision.py _build_image_content/_download_to_data_url image 权限提升]
积分20

Do you know our Splunk app?

Download it now for free!