Critical Alert: AutoGPT Flaw Allows Attackers to Access Internal Networks via SSRF Vulnerability

Aegiron 6 mins0

Product Overview

Product Name: AutoGPT
Component Affected: RSSFeedBlock and SendDiscordFileBlock
Affected Versions: All releases below v0.6.34
Fixed Version: v0.6.34

AutoGPT is an autonomous AI agent framework that allows users to define tasks which are executed through multiple internal “blocks.” Two of these blocks were found to improperly handle user-supplied URLs, resulting in critical Server-Side Request Forgery (SSRF) vulnerabilities.

Vulnerability Summary

CVE NameCVE IDCVSS ScoreSeverityExploitabilityExploit Availability
AutoGPT RSS Feed SSRFCVE-2025-626159.3CriticalHighProof of concept available (educational use only)
AutoGPT Discord File SSRFCVE-2025-626169.3CriticalHighProof of concept available (educational use only)

Vulnerability Description

Two independent SSRF vulnerabilities were identified in AutoGPT due to insufficient validation of externally supplied URLs.

In the RSSFeedBlock, a user-controlled RSS feed URL was directly fetched by the backend using standard HTTP request functions. Although basic scheme validation was present, it was insufficient to prevent access to internal or restricted network locations.

In the SendDiscordFileBlock, a user-provided file URL was fetched by the server before being forwarded to Discord. No restrictions were enforced on the destination host, allowing arbitrary internal requests to be made from the AutoGPT server.

In both cases, the AutoGPT server acted as a proxy, unknowingly making HTTP requests on behalf of an attacker.

Root Cause

The vulnerabilities were caused by:

  • Absence of allow-listing for external destinations
  • Failure to block private, loopback, and link-local IP ranges
  • No hostname resolution checks after DNS lookup
  • Direct use of HTTP client libraries with untrusted input

Attack Scenario

The vulnerability could be exploited if an attacker was able to supply a crafted URL to either affected block. Once supplied, the AutoGPT server would initiate an outbound request to the specified address.

This behavior could be abused to:

  • Access internal administrative panels
  • Query cloud metadata services
  • Interact with internal APIs or databases
  • Perform network reconnaissance from the server’s trust boundary

Proof of Concept (Educational)

The following example demonstrates the nature of the issue and is intended strictly for defensive and educational validation:

http://127.0.0.1:4321

When provided as an RSS feed URL or file URL, the server would attempt to retrieve content from its own loopback interface, confirming SSRF behavior.

Impact

Successful exploitation could result in:

  • Unauthorized access to internal services
  • Exposure of sensitive configuration data
  • Retrieval of cloud instance credentials
  • Increased attack surface for lateral movement

Because AutoGPT is often deployed with access to internal resources, the overall impact is considered critical.

MITRE Mapping

  • CWE-918: Server-Side Request Forgery (SSRF)

Detection Strategy

Recommended Log Sources

  • Application request logs
  • API gateway or reverse proxy logs
  • Outbound firewall or proxy logs
  • Cloud VPC / flow logs
  • Container or host-level network logs

Detection Rules and Queries

Splunk (Application Logs)

index=autogpt_logs
| where like(request_url, "http://127.%")
   OR like(request_url, "http://10.%")
   OR like(request_url, "http://192.168.%")
   OR like(request_url, "http://169.254.169.254%")
| table _time, user, request_url, source_ip

Splunk (Network / Proxy Logs)

index=proxy_logs
| where dest_ip IN ("127.0.0.1", "169.254.169.254")
   OR cidrmatch("10.0.0.0/8", dest_ip)
   OR cidrmatch("172.16.0.0/12", dest_ip)
   OR cidrmatch("192.168.0.0/16", dest_ip)
| table _time, src_ip, dest_ip, dest_port, url

Elasticsearch / OpenSearch (KQL)

url.full : ("http://127.*" or "http://10.*" or "http://192.168.*" or "http://169.254.169.254*")

Cloud Flow Logs

Filter for outbound traffic from AutoGPT instances targeting:

  • 127.0.0.0/8
  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16
  • 169.254.169.254

Any such traffic should be treated as suspicious.

Mitigation and Remediation

The vulnerability was fully addressed in AutoGPT v0.6.34.

Immediate actions recommended:

  • Upgrade all AutoGPT deployments to v0.6.34 or later
  • Restrict outbound traffic from AutoGPT servers
  • Block access to cloud metadata endpoints at the network layer
  • Implement strict URL validation and hostname resolution checks
  • Rotate credentials if exposure is suspected

Official Patch / Upgrade Link

Upgrade to AutoGPT v0.6.34 (Official Security Fix):
https://github.com/Significant-Gravitas/AutoGPT/security/advisories

Final Takeaway

No evidence of exploitation is required for risk confirmation, as the vulnerability is trivially exploitable once a URL input is controlled. All proof-of-concept information should be used strictly for defensive testing and validation purposes.

Upgrading remains the most effective and complete mitigation.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.