CVE-2025-0454 – This SSRF vulnerability in AutoGPT allows attac... (How to Fix)

📋 TL;DR

This SSRF vulnerability in AutoGPT allows attackers to bypass URL validation and make unauthorized requests to internal systems. It affects AutoGPT versions before v0.4.0 that use the Requests utility with vulnerable URL parsing logic.

💻 Affected Systems

Products:

AutoGPT

Versions: All versions prior to v0.4.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using the Requests utility with URL parsing. Requires user input that gets passed to the vulnerable function.

📦 What is this software?

Autogpt Platform by Agpt

View all CVEs affecting Autogpt Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal services, data exfiltration, or lateral movement within the network by accessing internal APIs and services.

🟠

Likely Case

Unauthorized access to internal HTTP services, metadata endpoints, or internal APIs that shouldn't be exposed externally.

🟢

If Mitigated

Limited impact with proper network segmentation and egress filtering preventing access to sensitive internal resources.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of URL parsing discrepancies between libraries and ability to submit crafted URLs to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.4.0 and later

Vendor Advisory: https://github.com/significant-gravitas/autogpt/commit/ff065cd24c2289878c0abdb9adbf91c305f0d70a

Restart Required: No

Instructions:

1. Update AutoGPT to version 0.4.0 or later using pip: pip install --upgrade autogpt
2. Verify the update completed successfully
3. No restart required as this is a library fix

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict URL validation before passing to Requests utility

🧯 If You Can't Patch

Implement network-level restrictions to block outbound requests to internal IP ranges
Deploy WAF rules to detect and block SSRF patterns in URL parameters

🔍 How to Verify

Check if Vulnerable:

Check AutoGPT version: python -c "import autogpt; print(autogpt.__version__)" and verify it's below 0.4.0

Check Version:

python -c "import autogpt; print(autogpt.__version__)"

Verify Fix Applied:

Confirm version is 0.4.0 or higher and test with known SSRF payloads to ensure they're blocked

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from AutoGPT to internal IP addresses
Requests containing @ symbols and ../ patterns in URLs

Network Indicators:

HTTP requests from AutoGPT to internal services that shouldn't be accessed
Requests with malformed URLs containing port specifications and path traversal

SIEM Query:

source="autogpt" AND (url="*@*" OR url="*localhost*" OR url="*127.*" OR url="*192.168.*" OR url="*10.*" OR url="*172.16.*")

📊 Metadata

CVE ID: CVE-2025-0454

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-918

EPSS Score: 0.1% exploit probability (26.8th percentile)

Published: March 20, 2025

Last Updated: August 5, 2025

🔗 References

https://github.com/significant-gravitas/autogpt/commit/ff065cd24c2289878c0abdb9adbf91c305f0d70a Patch
https://huntr.com/bounties/0664fdee-bdc2-4650-8075-74d7b8d3e308 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0454, you might also want to check these: