Intel

AIKIDO-2026-579992

ag2 is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

59

Medium Risk

This Affects:

PYTHONag2
0.7.5 - 0.12.3
Fixed in 0.13.0
Are you affected? Scan for Free

TL;DR

The experimental Document Agent fetches remote documents from user- or model-supplied URLs in autogen/agents/experimental/document_agent/document_utils.py without validating the request destination. Before the fix, a caller could point the agent at internal hostnames, loopback, link-local cloud metadata endpoints (for example 169.254.169.254), or other private IP ranges, and the agent would issue the request and return or ingest the response. Redirect hops were also followed without revalidation, so a public URL could redirect into the internal network. The fix adds validate_url() in url_utils.py that enforces an http/https scheme allow-list and resolves each hostname to reject loopback, link-local, private, reserved, multicast, and unspecified addresses, and applies it before the initial request, for every redirect hop, and before downloading the final content.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you use the experimental Document Agent to ingest documents from untrusted or user-supplied URLs.

Background info

ag2 is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.7.5 - 0.12.3.

How to fix this

Upgrade the ag2 library to the patch version.