CVE-2026-47390: PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings

PraisonAI’s spider_tools URL validation can be bypassed using alternate loopback host encodings.

The affected component is:

praisonaiagents/tools/spider_tools.py

The tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled URLs. However, the validation only blocks a small set of exact host strings such as localhost and 127.0.0.1.

It does not normalize hostnames, resolve DNS, parse numeric IPv4 variants, or validate the final resolved IP address before making the request.

As a result, URLs such as the following bypass the protection and still reach loopback services:

http://localhost.:8765/
http://127.1:8765/
http://0177.0.0.1:8765/
http://0x7f000001:8765/
http://2130706433:8765/

After the weak validation passes, scrape_page() calls requests.Session.get() on the attacker-controlled URL. This allows an attacker who can influence URLs passed to scrape_page, crawl, or extract_text to induce SSRF requests against loopback-only services.

This is a server-side request forgery protection bypass.