CVE-2025-0454

Exploit

EPSS 0.53%
Veröffentlicht 20.03.2025 10:11:30
Zuletzt bearbeitet 05.08.2025 17:04:05
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

SSRF Check Bypass in Requests Utility in significant-gravitas/autogpt

A Server-Side Request Forgery (SSRF) vulnerability was identified in the Requests utility of significant-gravitas/autogpt versions prior to v0.4.0. The vulnerability arises due to a hostname confusion between the `urlparse` function from the `urllib.parse` library and the `requests` library. A malicious user can exploit this by submitting a specially crafted URL, such as `http://localhost:\@google.com/../`, to bypass the SSRF check and perform an SSRF attack.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Agpt ≫ Autogpt Platform Version < 0.4.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.53%	0.407

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security@huntr.dev	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://huntr.com/bounties/0664fdee-bdc2-4650-8075-74d7b8d3e308

Third Party Advisory

Exploit

https://github.com/significant-gravitas/autogpt/commit/ff065cd24c2289878c0abdb9adbf91c305f0d70a

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-0454

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-0454

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-0454

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-0454