CVE-2025-62616
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in AutoGPT's SendDiscordFileBlock component. Attackers can exploit unfiltered URL inputs to make unauthorized requests to internal systems. Users running AutoGPT versions before beta-v0.6.34 are affected.
💻 Affected Systems
- AutoGPT
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal infrastructure through SSRF to cloud metadata services, internal APIs, or sensitive systems, potentially leading to data exfiltration or lateral movement.
Likely Case
Unauthorized access to internal HTTP services, port scanning of internal networks, or data leakage from internal endpoints.
If Mitigated
Limited impact with proper network segmentation and egress filtering, restricting vulnerable component to necessary external services only.
🎯 Exploit Status
Exploitation requires ability to control URL input to SendDiscordFileBlock. No authentication bypass needed beyond access to this functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: autogpt-platform-beta-v0.6.34
Vendor Advisory: https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-ggc4-4fmm-9hmc
Restart Required: Yes
Instructions:
1. Update AutoGPT to version beta-v0.6.34 or later. 2. Restart the AutoGPT service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Workaround
allImplement strict URL validation and filtering for SendDiscordFileBlock inputs
# Modify SendDiscordFileBlock to validate URLs before processing
# Example Python validation:
import re
allowed_domains = ['discord.com', 'cdn.discordapp.com']
def validate_url(url):
from urllib.parse import urlparse
parsed = urlparse(url)
return parsed.netloc in allowed_domains and parsed.scheme in ['http', 'https']
🧯 If You Can't Patch
- Disable SendDiscordFileBlock functionality if not required
- Implement network egress filtering to restrict outbound connections from AutoGPT to only necessary external services
🔍 How to Verify
Check if Vulnerable:
Check AutoGPT version: if version is earlier than beta-v0.6.34, system is vulnerable.Check Version:
Check package.json or run: python -c "import autogpt; print(autogpt.__version__)"Verify Fix Applied:
Confirm version is beta-v0.6.34 or later and test SendDiscordFileBlock with controlled SSRF test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from AutoGPT process to internal IP addresses
- Multiple failed connection attempts to internal services
Network Indicators:
- HTTP requests from AutoGPT to non-Discord domains or internal IP ranges
- Port scanning patterns from AutoGPT host
SIEM Query:
source="autogpt.log" AND (url_contains="169.254.169.254" OR url_contains="metadata.google.internal" OR url_contains="192.168." OR url_contains="10." OR url_contains="172.16.")