CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31494 – AutoGPT allows cross-user sharing of node execution results through WebSockets API
https://notcve.org/view.php?id=CVE-2025-31494
14 Apr 2025 — AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The AutoGPT Platform's WebSocket API transmitted node execution updates to subscribers based on the graph_id+graph_version. Additionally, there was no check prohibiting users from subscribing with another user's graph_id+graph_version. As a result, node execution updates from one user's graph execution could be received by another user within the same instance. Thi... • https://github.com/Significant-Gravitas/AutoGPT/pull/9660 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-284: Improper Access Control •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31491 – AutoGPT allows leakage of cross-domain cookies and protected headers in requests redirect
https://notcve.org/view.php?id=CVE-2025-31491
14 Apr 2025 — AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows of leakage of cross-domain cookies and protected headers in requests redirect. AutoGPT uses a wrapper around the requests python library, located in autogpt_platform/backend/backend/util/request.py. In this wrapper, redirects are specifically NOT followed for the first request. If the wrapper is used with allow_redirects set to True (... • https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-ggcm-93qg-gfhp • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31490 – AutoGPT allows SSRF due to DNS Rebinding in requests wrapper
https://notcve.org/view.php?id=CVE-2025-31490
14 Apr 2025 — AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.1, AutoGPT allows SSRF due to DNS Rebinding in requests wrapper. AutoGPT is built with a wrapper around Python's requests library, hardening the application against SSRF. The code for this wrapper can be found in autogpt_platform/backend/backend/util/request.py. The requested hostname of a URL which is being requested is validated, ensuring that it doe... • https://github.com/Significant-Gravitas/AutoGPT/commit/66ebe4376eab3434af90808796b54c2139847b37 • CWE-918: Server-Side Request Forgery (SSRF) •