CVE-2025-1040
Published: 20 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-1040 is a Server-Side Template Injection (SSTI) vulnerability affecting AutoGPT versions 0.3.4 and earlier. The flaw stems from improper handling of user-supplied format strings in the AgentOutputBlock implementation, where malicious input is passed directly to the Jinja2 templating engine without sufficient security controls, enabling Remote Code Execution (RCE). It is classified under CWE-1336 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation involves injecting malicious templates that execute arbitrary commands on the host system, granting high-impact access to confidentiality, integrity, and availability.
The issue is addressed in AutoGPT version 0.4.0. The fixing commit is documented at https://github.com/significant-gravitas/autogpt/commit/6dba31e0215549604bdcc1aed24e3a1714e75ee2, with additional details available via the Huntr bounty report at https://huntr.com/bounties/b74ef75f-61d5-4422-ab15-9550c8b4f185.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SSTI vulnerability directly enables remote exploitation of the application for arbitrary command execution (RCE) on the host.