{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-31490", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-28T13:36:51.298Z", "datePublished": "2025-04-14T23:07:25.840Z", "dateUpdated": "2025-04-15T03:00:21.930Z"}, "containers": {"cna": {"title": "AutoGPT allows SSRF due to DNS Rebinding in requests wrapper", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-wvjg-9879-3m7w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-wvjg-9879-3m7w"}, {"name": "https://github.com/Significant-Gravitas/AutoGPT/commit/66ebe4376eab3434af90808796b54c2139847b37", "tags": ["x_refsource_MISC"], "url": "https://github.com/Significant-Gravitas/AutoGPT/commit/66ebe4376eab3434af90808796b54c2139847b37"}], "affected": [{"vendor": "Significant-Gravitas", "product": "AutoGPT", "versions": [{"version": "< 0.6.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-14T23:15:32.637Z"}, "descriptions": [{"lang": "en", "value": "AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows SSRF due to DNS Rebinding in requests wrapper. AutoGPT is built with a wrapper around Python's requests library, hardening the application against SSRF. The code for this wrapper can be found in autogpt_platform/backend/backend/util/request.py. The requested hostname of a URL which is being requested is validated, ensuring that it does not resolve to any local ipv4 or ipv6 addresses. However, this check is not sufficient, as a DNS server may initially respond with a non-blocked address, with a TTL of 0. This means that the initial resolution would appear as a non-blocked address. In this case, validate_url() will return the url as successful. After validate_url() has successfully returned the url, the url is then passed to the real request() function. When the real request() function is called with the validated url, request() will once again resolve the address of the hostname, because the record will not have been cached (due to TTL 0). This resolution may be in the \"invalid range\". This type of attack is called a \"DNS Rebinding Attack\". This vulnerability is fixed in 0.6.1."}], "source": {"advisory": "GHSA-wvjg-9879-3m7w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-15T02:59:57.666904Z", "id": "CVE-2025-31490", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-15T03:00:21.930Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-31490", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-28T13:36:51.298Z", "datePublished": "2025-04-14T23:07:25.840Z", "dateUpdated": "2025-04-15T03:00:21.930Z"}, "containers": {"cna": {"title": "AutoGPT allows SSRF due to DNS Rebinding in requests wrapper", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-wvjg-9879-3m7w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-wvjg-9879-3m7w"}, {"name": "https://github.com/Significant-Gravitas/AutoGPT/commit/66ebe4376eab3434af90808796b54c2139847b37", "tags": ["x_refsource_MISC"], "url": "https://github.com/Significant-Gravitas/AutoGPT/commit/66ebe4376eab3434af90808796b54c2139847b37"}], "affected": [{"vendor": "Significant-Gravitas", "product": "AutoGPT", "versions": [{"version": "< 0.6.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-14T23:15:32.637Z"}, "descriptions": [{"lang": "en", "value": "AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows SSRF due to DNS Rebinding in requests wrapper. AutoGPT is built with a wrapper around Python's requests library, hardening the application against SSRF. The code for this wrapper can be found in autogpt_platform/backend/backend/util/request.py. The requested hostname of a URL which is being requested is validated, ensuring that it does not resolve to any local ipv4 or ipv6 addresses. However, this check is not sufficient, as a DNS server may initially respond with a non-blocked address, with a TTL of 0. This means that the initial resolution would appear as a non-blocked address. In this case, validate_url() will return the url as successful. After validate_url() has successfully returned the url, the url is then passed to the real request() function. When the real request() function is called with the validated url, request() will once again resolve the address of the hostname, because the record will not have been cached (due to TTL 0). This resolution may be in the \"invalid range\". This type of attack is called a \"DNS Rebinding Attack\". This vulnerability is fixed in 0.6.1."}], "source": {"advisory": "GHSA-wvjg-9879-3m7w", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-31490", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-15T02:59:57.666904Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-15T03:00:17.683Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows SSRF due to DNS Rebinding in requests wrapper. AutoGPT is built with a wrapper around Python's requests library, hardening the application against SSRF. The code for this wrapper can be found in autogpt_platform/backend/backend/util/request.py. The requested hostname of a URL which is being requested is validated, ensuring that it does not resolve to any local ipv4 or ipv6 addresses. However, this check is not sufficient, as a DNS server may initially respond with a non-blocked address, with a TTL of 0. This means that the initial resolution would appear as a non-blocked address. In this case, validate_url() will return the url as successful. After validate_url() has successfully returned the url, the url is then passed to the real request() function. When the real request() function is called with the validated url, request() will once again resolve the address of the hostname, because the record will not have been cached (due to TTL 0). This resolution may be in the \"invalid range\". This type of attack is called a \"DNS Rebinding Attack\". This vulnerability is fixed in 0.6.1."}, {"lang": "es", "value": "AutoGPT es una plataforma que permite a los usuarios crear, implementar y gestionar agentes continuos de inteligencia artificial que automatizan flujos de trabajo complejos. Antes de la versi\u00f3n 0.6.1, AutoGPT permit\u00eda SSRF gracias a la revinculaci\u00f3n de DNS en el contenedor de solicitudes. AutoGPT se basa en un contenedor alrededor de la librer\u00eda de solicitudes de Python, lo que refuerza la aplicaci\u00f3n contra SSRF. El c\u00f3digo de este contenedor se encuentra en autogpt_platform/backend/backend/util/request.py. Se valida el nombre de host de la URL solicitada, lo que garantiza que no se resuelva a ninguna direcci\u00f3n IPv4 o IPv6 local. Sin embargo, esta comprobaci\u00f3n no es suficiente, ya que un servidor DNS podr\u00eda responder inicialmente con una direcci\u00f3n no bloqueada, con un TTL de 0. Esto significa que la resoluci\u00f3n inicial aparecer\u00eda como una direcci\u00f3n no bloqueada. En este caso, validate_url() devolver\u00e1 la URL como correcta. Una vez que validate_url() haya devuelto la URL correctamente, esta se pasa a la funci\u00f3n request() real. Al llamar a la funci\u00f3n request() con la URL validada, request() resolver\u00e1 de nuevo la direcci\u00f3n del nombre de host, ya que el registro no se habr\u00e1 almacenado en cach\u00e9 (debido al TTL 0). Esta resoluci\u00f3n podr\u00eda estar en el rango inv\u00e1lido. Este tipo de ataque se denomina \"Ataque de Revinculaci\u00f3n DNS\". Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 0.6.1."}], "id": "CVE-2025-31490", "lastModified": "2025-04-15T18:39:27.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-04-14T23:15:21.713", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Significant-Gravitas/AutoGPT/commit/66ebe4376eab3434af90808796b54c2139847b37"}, {"source": "security-advisories@github.com", "url": "https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-wvjg-9879-3m7w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}