PraisonAI, a multi-agent teams system by MervinPraison, contained an SSRF vulnerability (CWE-918) in versions before 4.5.90. The vulnerability is due to the passthrough() and apassthrough() functions accepting an api_base parameter controlled by the caller, which is concatenated with an endpoint and passed to httpx.Client.request() when the litellm primary path raises an AttributeError. This process lacks URL scheme validation, private IP filtering, or domain allowlisting, enabling requests to arbitrary hosts accessible from the server. This could allow an attacker with at least low privileges to cause the server to make unauthorized HTTP requests, potentially exposing sensitive internal resources. The vulnerability was patched in version 4.5.90.

Successful exploitation allows an attacker with limited privileges to induce the server to make HTTP requests to arbitrary hosts reachable from the server, potentially exposing sensitive internal network resources or services. The CVSS vector indicates a high confidentiality impact (C:H), no integrity (I:N) or availability (A:N) impact, and requires low attack complexity with low privileges and no user interaction. There are no known exploits in the wild at this time.

A patch fixing this vulnerability is available in PraisonAI version 4.5.90. Users should upgrade to version 4.5.90 or later to remediate this SSRF vulnerability. Since the vendor advisory confirms the issue is patched in 4.5.90, applying this official fix is the recommended mitigation. No additional mitigations are specified or required beyond upgrading.