PraisonAI versions before 4.5.90 expose a Server‑Side Request Forgery flaw in the passthrough() and apassthrough() functions. These functions accept an api_base parameter supplied by the caller, then concatenate it with an endpoint and hand it to httpx.Client.request() when the primary path raises an AttributeError. No URL scheme validation, private‑IP filtering, or domain allowlist is performed, allowing an attacker to target any host reachable from the server. By crafting a malicious api_base value, an attacker can force the server to download data from internal resources, access internal services, or exfiltrate sensitive information. The weakness aligns with CWE‑918.

MervinPraison’s PraisonAI product is affected. All releases earlier than 4.5.90 contain the flaw. The vendor released a fix in version 4.5.90; upgrading to that or a later version removes the unvalidated api_base input and eliminates the SSRF risk.

The vulnerability’s CVSS score of 7.7 indicates a high potential impact if exploited. Its EPSS value is below 1%, suggesting that exploitation is currently unlikely, and it is not listed in the CISA KEV catalog. Nevertheless, the conditions for exploitation are minimal: an attacker who can send an API request to the vulnerable server can supply an arbitrary api_base value. Because the server makes outbound requests to whatever host the attacker specifies, the attack surface extends to internal network resources, posing a significant threat to confidentiality and integrity.