ag2 is vulnerable to Server-Side Request Forgery (SSRF)
59
Medium Risk
The experimental Document Agent fetches remote documents from user- or model-supplied URLs in autogen/agents/experimental/document_agent/document_utils.py without validating the request destination. Before the fix, a caller could point the agent at internal hostnames, loopback, link-local cloud metadata endpoints (for example 169.254.169.254), or other private IP ranges, and the agent would issue the request and return or ingest the response. Redirect hops were also followed without revalidation, so a public URL could redirect into the internal network. The fix adds validate_url() in url_utils.py that enforces an http/https scheme allow-list and resolves each hostname to reject loopback, link-local, private, reserved, multicast, and unspecified addresses, and applies it before the initial request, for every redirect hop, and before downloading the final content.
You are affected if you are using a version that falls within the vulnerable range and you use the experimental Document Agent to ingest documents from untrusted or user-supplied URLs.
ag2 is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.7.5 - 0.12.3.
Upgrade the ag2 library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant