CVE-2025-31490

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-31490
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows SSRF due to DNS Rebinding in requests wrapper. AutoGPT is built with a wrapper around Python's requests library, hardening the application against SSRF. The code for this wrapper can be found in autogpt_platform/backend/backend/util/request.py. The requested hostname of a URL which is being requested is validated, ensuring that it does not resolve to any local ipv4 or ipv6 addresses. However, this check is not sufficient, as a DNS server may initially respond with a non-blocked address, with a TTL of 0. This means that the initial resolution would appear as a non-blocked address. In this case, validate_url() will return the url as successful. After validate_url() has successfully returned the url, the url is then passed to the real request() function. When the real request() function is called with the validated url, request() will once again resolve the address of the hostname, because the record will not have been cached (due to TTL 0). This resolution may be in the "invalid range". This type of attack is called a "DNS Rebinding Attack". This vulnerability is fixed in 0.6.1.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/Significant-Gravitas/AutoGPT/commit/66ebe4376eab3434af90808796b54c2139847b37
https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-wvjg-9879-3m7w
Configurations

No configuration.

History

15 Apr 2025, 18:39

Type Values Removed Values Added
Summary
  • (es) AutoGPT es una plataforma que permite a los usuarios crear, implementar y gestionar agentes continuos de inteligencia artificial que automatizan flujos de trabajo complejos. Antes de la versión 0.6.1, AutoGPT permitía SSRF gracias a la revinculación de DNS en el contenedor de solicitudes. AutoGPT se basa en un contenedor alrededor de la librería de solicitudes de Python, lo que refuerza la aplicación contra SSRF. El código de este contenedor se encuentra en autogpt_platform/backend/backend/util/request.py. Se valida el nombre de host de la URL solicitada, lo que garantiza que no se resuelva a ninguna dirección IPv4 o IPv6 local. Sin embargo, esta comprobación no es suficiente, ya que un servidor DNS podría responder inicialmente con una dirección no bloqueada, con un TTL de 0. Esto significa que la resolución inicial aparecería como una dirección no bloqueada. En este caso, validate_url() devolverá la URL como correcta. Una vez que validate_url() haya devuelto la URL correctamente, esta se pasa a la función request() real. Al llamar a la función request() con la URL validada, request() resolverá de nuevo la dirección del nombre de host, ya que el registro no se habrá almacenado en caché (debido al TTL 0). Esta resolución podría estar en el rango inválido. Este tipo de ataque se denomina "Ataque de Revinculación DNS". Esta vulnerabilidad se corrigió en la versión 0.6.1.

15 Apr 2025, 00:15

Type Values Removed Values Added
Summary (en) AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows SSRF due to DNS Rebinding in requests wrapper. AutoGPT uses a wrapper around the requests python library, located in autogpt_platform/backend/backend/util/request.py. In this wrapper, redirects are specifically NOT followed for the first request. If the wrapper is used with allow_redirects set to True (which is the default), any redirect is not followed by the initial request, but rather re-requested by the wrapper using the new location. However, there is a fundamental flaw in manually re-requesting the new location: it does not account for security-sensitive headers which should not be sent cross-origin, such as the Authorization and Proxy-Authorization header, and cookies. For example in autogpt_platform/backend/backend/blocks/github/_api.py, an Authorization header is set when retrieving data from the GitHub API. However, if GitHub suffers from an open redirect vulnerability (such as the made-up example of https://api.github.com/repos/{owner}/{repo}/issues/comments/{comment_id}/../../../../../redirect/?url=https://joshua.hu/), and the script can be coerced into visiting it with the Authorization header, the GitHub credentials in the Authorization header will be leaked. All SSRF protections are bypassable; it could allow querying local services, or other previously blocked addresses. Depends on the situation. This vulnerability is fixed in 0.6.1. (en) AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows SSRF due to DNS Rebinding in requests wrapper. AutoGPT is built with a wrapper around Python's requests library, hardening the application against SSRF. The code for this wrapper can be found in autogpt_platform/backend/backend/util/request.py. The requested hostname of a URL which is being requested is validated, ensuring that it does not resolve to any local ipv4 or ipv6 addresses. However, this check is not sufficient, as a DNS server may initially respond with a non-blocked address, with a TTL of 0. This means that the initial resolution would appear as a non-blocked address. In this case, validate_url() will return the url as successful. After validate_url() has successfully returned the url, the url is then passed to the real request() function. When the real request() function is called with the validated url, request() will once again resolve the address of the hostname, because the record will not have been cached (due to TTL 0). This resolution may be in the "invalid range". This type of attack is called a "DNS Rebinding Attack". This vulnerability is fixed in 0.6.1.

14 Apr 2025, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-14 23:15

Updated : 2025-04-15 18:39

NVD link : CVE-2025-31490

Mitre link : CVE-2025-31490

CVE.ORG link : CVE-2025-31490

JSON object : View

Products Affected

No product.

CWE
CWE-918

Server-Side Request Forgery (SSRF)