CVE-2025-32393
📋 TL;DR
AutoGPT versions before beta-v0.6.32 contain a denial-of-service vulnerability in the ReadRSSFeedBlock component. Attackers can trigger resource exhaustion by feeding specially crafted XML to the RSS parser, causing memory exhaustion and service disruption. This affects all AutoGPT deployments using vulnerable versions.
💻 Affected Systems
- AutoGPT Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage due to memory exhaustion, potentially affecting all AutoGPT agents and workflows running on the system.
Likely Case
Service degradation or temporary unavailability of AutoGPT agents when targeted with malicious RSS feeds.
If Mitigated
Minimal impact with proper input validation and resource limits in place.
🎯 Exploit Status
Exploitation requires crafting malicious XML content but does not require authentication. The advisory provides technical details that could facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: autogpt-platform-beta-v0.6.32
Vendor Advisory: https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-5cqw-g779-9f9x
Restart Required: Yes
Instructions:
1. Update AutoGPT to version beta-v0.6.32 or later. 2. Restart all AutoGPT services. 3. Verify the update by checking the version.
🔧 Temporary Workarounds
Disable RSSBlock functionality
allTemporarily disable or remove RSSBlock from AutoGPT workflows to prevent exploitation.
Modify AutoGPT configuration to remove or disable RSSBlock components
Implement network restrictions
allRestrict RSS feed sources to trusted domains only.
Configure firewall rules to limit RSS feed fetching to approved sources
🧯 If You Can't Patch
- Implement strict input validation and size limits on RSS feed content
- Monitor system memory usage and implement automatic restart thresholds for AutoGPT services
🔍 How to Verify
Check if Vulnerable:
Check AutoGPT version. If version is earlier than beta-v0.6.32 and RSSBlock is enabled, the system is vulnerable.Check Version:
Check AutoGPT configuration files or run 'pip show autogpt-platform' for version informationVerify Fix Applied:
Verify AutoGPT version is beta-v0.6.32 or later and test RSS functionality with various feed inputs.📡 Detection & Monitoring
Log Indicators:
- Unusually large RSS feed parsing operations
- Memory exhaustion errors in AutoGPT logs
- Repeated RSS parsing failures
Network Indicators:
- Requests to unusual or suspicious RSS feed URLs
- Large XML payloads being fetched
SIEM Query:
source="autogpt.logs" AND ("memory" OR "resource" OR "exhaustion") AND "RSS"