CVE-2025-1040 – AutoGPT versions 0.3.4 and earlier contain a Se... (How to Fix)

Q: What is the severity of CVE-2025-1040?

CVE-2025-1040 has a CVSS score of 8.8 (HIGH). AutoGPT versions 0.3.4 and earlier contain a Server-Side Template Injection vulnerability that allows attackers to execute arbitrary code on the host system. This affects all users running vulnerable versions of AutoGPT, particularly those exposing the application to untrusted users.

📋 TL;DR

AutoGPT versions 0.3.4 and earlier contain a Server-Side Template Injection vulnerability that allows attackers to execute arbitrary code on the host system. This affects all users running vulnerable versions of AutoGPT, particularly those exposing the application to untrusted users.

💻 Affected Systems

Products:

AutoGPT

Versions: 0.3.4 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Autogpt Platform by Agpt

View all CVEs affecting Autogpt Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the host, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to data theft, installation of malware, or use of the system as a foothold for further attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only affecting the AutoGPT application container.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of SSTI techniques and Jinja2 templating, but no authentication is needed once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.0

Vendor Advisory: https://github.com/significant-gravitas/autogpt/commit/6dba31e0215549604bdcc1aed24e3a1714e75ee2

Restart Required: No

Instructions:

1. Stop AutoGPT service. 2. Update to version 0.4.0 using pip: 'pip install --upgrade autogpt==0.4.0'. 3. Restart AutoGPT service.

🔧 Temporary Workarounds

Disable Jinja2 template processing

all

Modify configuration to disable or restrict template processing in AgentOutputBlock

🧯 If You Can't Patch

Network segmentation: Isolate AutoGPT instances from critical systems
Implement strict input validation and sanitization for all user-supplied format strings

🔍 How to Verify

Check if Vulnerable:

Check AutoGPT version: if version <= 0.3.4, system is vulnerable

Check Version:

python -c "import autogpt; print(autogpt.__version__)"

Verify Fix Applied:

Confirm version is 0.4.0 or higher and test template injection attempts are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual template rendering errors
Suspicious Jinja2 template patterns in logs
Unexpected system command execution

Network Indicators:

Unusual outbound connections from AutoGPT host
Command and control traffic patterns

SIEM Query:

source="autogpt.log" AND ("template injection" OR "jinja2" OR "{{.*}}")

📊 Metadata

CVE ID: CVE-2025-1040

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1336

EPSS Score: 1.71% exploit probability (82th percentile)

Published: March 20, 2025

Last Updated: October 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1040, you might also want to check these: