Login Sign Up

CVE-2025-22603

8.1 HIGH
SSRF

📋 TL;DR

AutoGPT versions prior to beta-v0.4.2 contain a server-side request forgery (SSRF) vulnerability in the 'Send Web Request' component that fails to filter IPv6 addresses. This allows attackers to make unauthorized requests from the AutoGPT server to internal IPv6 services. Users running vulnerable AutoGPT instances are affected.

💻 Affected Systems

Products:
  • AutoGPT
Versions: All versions prior to autogpt-platform-beta-v0.4.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using the vulnerable 'Send Web Request' component.

📦 What is this software?

Autogpt Platform by Agpt

View all CVEs affecting Autogpt Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal IPv6 services, exfiltrate data, or pivot to attack other internal systems through the AutoGPT server.

🟠

Likely Case

Unauthorized access to internal IPv6 services, potentially exposing internal APIs, databases, or management interfaces.

🟢

If Mitigated

Limited impact if network segmentation restricts AutoGPT server's access to sensitive internal services.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires access to AutoGPT interface and knowledge of internal IPv6 services.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: autogpt-platform-beta-v0.4.2

Vendor Advisory: https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-4c8v-hwxc-2356

Restart Required: No

Instructions:

1. Update AutoGPT to version autogpt-platform-beta-v0.4.2 or later. 2. Verify the update by checking the version. 3. No restart required for the fix to take effect.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict AutoGPT server's network access to only necessary external services and block access to internal IPv6 networks.

Input Validation

all

Implement custom input validation to reject IPv6 addresses in the 'Send Web Request' component.

🧯 If You Can't Patch

  • Disable or restrict access to the 'Send Web Request' component if not required.
  • Implement network-level filtering to block the AutoGPT server from accessing internal IPv6 addresses.

🔍 How to Verify

Check if Vulnerable:

Check if AutoGPT version is earlier than autogpt-platform-beta-v0.4.2 and if the 'Send Web Request' component is enabled.

Check Version:

Check AutoGPT configuration or deployment manifest for version information.

Verify Fix Applied:

Verify the version is autogpt-platform-beta-v0.4.2 or later and test that IPv6 addresses are properly filtered in the 'Send Web Request' component.

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound requests from AutoGPT server to IPv6 addresses
  • Failed attempts to access internal IPv6 services

Network Indicators:

  • Outbound connections from AutoGPT server to unexpected IPv6 destinations
  • Traffic to internal IPv6 services from AutoGPT server

SIEM Query:

source_ip:AutoGPT_server_ip AND dest_ip:IPv6_address AND protocol:HTTP/HTTPS

📊 Metadata

CVE ID: CVE-2025-22603
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-918
EPSS Score: 0.15% exploit probability (35th percentile)
Published: March 10, 2025
Last Updated: January 28, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22603, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)