GHSA-44c2-3rw4-5gvh: PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL
Summary
PraisonAI's `FileTools.download_file()` function has a security flaw called SSRF (server-side request forgery, where a server is tricked into making requests to unintended targets) because it doesn't validate URLs before downloading files. An attacker can make it download from internal services or cloud metadata endpoints, potentially stealing credentials or accessing restricted information.
Solution / Mitigation
The source text provides a suggested fix that validates URLs by checking that the scheme is http or https, and blocking requests to private/reserved IP ranges (127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) using the `urllib.parse` and `ipaddress` Python modules. The fix includes a `_validate_url()` function that raises a ValueError if a blocked address is detected. Additionally, the code should be updated to call this validation function before passing the URL to `httpx.stream()`, and `follow_redirects=True` should be reconsidered to prevent redirect-based bypasses.
Vulnerability Details
EPSS: 0.0%
Yes
April 1, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://github.com/advisories/GHSA-44c2-3rw4-5gvh
First tracked: April 1, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%