Cyber Posture

CVE-2025-22603

HighPublic PoC

Published: 10 March 2025

Published
10 March 2025
Modified
28 January 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0022 44.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

Security Summary

CVE-2025-22603 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the AutoGPT platform in versions prior to autogpt-platform-beta-v0.4.2. AutoGPT is a platform that enables users to create, deploy, and manage continuous artificial intelligence agents for automating complex workflows. The flaw resides in the `Send Web Request` component, where IPv6 addresses are not restricted or filtered, allowing attackers to forge server-side requests to IPv6 services. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and was published on 2025-03-10.

Low-privileged users (PR:L) can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the `Send Web Request` component, attackers can direct the server to make unauthorized requests to IPv6 services, potentially resulting in high confidentiality and integrity impacts, such as accessing internal resources or manipulating data.

The vulnerability is addressed in autogpt-platform-beta-v0.4.2, as detailed in the GitHub security advisory GHSA-4c8v-hwxc-2356 and the fixing commit 26214e1b2c6777e0fae866642b23420adaadd6c4. Additional analysis is provided in the Notion page at https://boatneck-faucet-cba.notion.site/SSRF-of-AutoGPT-153b650a4d88804d923ad65a015a7d61 and the affected source code at https://github.com/Significant-Gravitas/AutoGPT/blob/2121ffd06b26a438706bf642372cc46d81c94ddc/autogpt_platform/backend/backend/util/request.py#L11. Security practitioners should ensure deployment of the patched version to mitigate the issue.

Details

CWE(s)
CWE-918

Affected Products

agpt
autogpt platform
≤ 0.4.2

AI Security Analysis

AI Category
AI Agent Protocols and Integrations
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
AutoGPT is explicitly described as a platform for creating, deploying, and managing continuous artificial intelligence agents, directly aligning with AI Agent Protocols and Integrations category.

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1018 Remote System Discovery Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
attack.mitre.org →
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
attack.mitre.org →
Why these techniques?

The SSRF vulnerability in the public-facing AutoGPT platform (T1190) allows attackers to force the server to make unauthorized requests to arbitrary IPv6 addresses, facilitating remote system discovery (T1018) and network service discovery (T1046) of internal resources.

References