CVE-2025-31490
📋 TL;DR
AutoGPT versions before 0.6.1 contain a DNS rebinding vulnerability in the requests wrapper that allows Server-Side Request Forgery (SSRF). Attackers can bypass IP validation by using DNS servers that initially return allowed addresses with TTL 0, then rebind to internal addresses during actual requests. This affects all AutoGPT deployments using vulnerable versions.
💻 Affected Systems
- AutoGPT
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete internal network compromise via SSRF to internal services, data exfiltration, or lateral movement to cloud metadata services.
Likely Case
Unauthorized access to internal HTTP services, API endpoints, or cloud metadata leading to information disclosure.
If Mitigated
Limited impact if network segmentation restricts AutoGPT from accessing sensitive internal resources.
🎯 Exploit Status
DNS rebinding attacks require controlling a malicious DNS server, but exploitation is straightforward once set up.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.6.1
Vendor Advisory: https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-wvjg-9879-3m7w
Restart Required: Yes
Instructions:
1. Update AutoGPT to version 0.6.1 or later. 2. Restart all AutoGPT services. 3. Verify the fix by checking the version and testing SSRF protections.
🔧 Temporary Workarounds
Network Restriction
allRestrict outbound network access from AutoGPT instances to only necessary external services using firewall rules.
DNS Filtering
allConfigure DNS servers to block or log requests to unknown or suspicious domains that could be used for DNS rebinding.
🧯 If You Can't Patch
- Isolate AutoGPT instances in a restricted network segment with no access to internal services
- Implement egress filtering to block all outbound traffic except to explicitly allowed destinations
🔍 How to Verify
Check if Vulnerable:
Check AutoGPT version: if version < 0.6.1, system is vulnerable. Review autogpt_platform/backend/backend/util/request.py for the vulnerable validation logic.Check Version:
Check AutoGPT configuration or run: python -c "import autogpt; print(autogpt.__version__)" if available, or review deployment manifests.Verify Fix Applied:
After updating to 0.6.1+, verify the requests wrapper includes proper DNS rebinding protection by checking the commit 66ebe4376eab3434af90808796b54c2139847b37 is applied.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from AutoGPT to internal IP ranges
- DNS queries with TTL 0 followed by requests to different IPs
Network Indicators:
- HTTP requests from AutoGPT to internal services (10.x.x.x, 172.16.x.x, 192.168.x.x, ::1, fd00::/8)
- DNS responses with TTL 0 changing IP addresses
SIEM Query:
source="autogpt" AND (dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, ::1) OR dns.ttl=0)