CVE-2025-0454 Overview
CVE-2025-0454 is a Server-Side Request Forgery (SSRF) vulnerability in the Requests utility of significant-gravitas/autogpt versions prior to v0.4.0. The flaw stems from a hostname parsing inconsistency between Python's urlparse function in urllib.parse and the requests HTTP library. An attacker can submit a crafted URL such as http://localhost:\@google.com/../ to bypass the SSRF filter while still directing the underlying request to an internal host. The issue is tracked under [CWE-918] and affects the AutoGPT platform component used to fetch remote resources.
Critical Impact
Remote attackers can bypass URL allow-list checks to reach internal services, cloud metadata endpoints, and other resources reachable from the AutoGPT host.
Affected Products
- significant-gravitas AutoGPT Platform versions prior to v0.4.0
- AutoGPT backend Requests utility (autogpt_platform/backend)
- Deployments exposing the AutoGPT request feature to untrusted input
Discovery Timeline
- 2025-03-20 - CVE-2025-0454 published to the National Vulnerability Database
- 2025-08-05 - Last updated in NVD database
Technical Details for CVE-2025-0454
Vulnerability Analysis
The Requests utility in AutoGPT performs an SSRF safety check by parsing the user-supplied URL with urllib.parse.urlparse and validating the extracted hostname against a deny list. The actual HTTP request is then issued via the requests library. These two parsers do not interpret authority components identically. A URL of the form http://localhost:\@google.com/../ causes urlparse to extract google.com as the hostname, passing the safety check. The requests library, however, resolves the authority differently and dispatches the connection to localhost. This parser differential allows attackers to reach loopback interfaces, link-local addresses, and internal-only services from the AutoGPT host.
Root Cause
The root cause is reliance on a non-canonical URL parser for security decisions while a different parser drives the actual network operation. RFC 3986 authority handling around userinfo, backslashes, and path traversal markers is implemented inconsistently across Python libraries, and the SSRF check did not normalize or re-validate the URL using the same library that performs the request.
Attack Vector
Exploitation requires only the ability to submit a URL to an AutoGPT workflow or agent action that invokes the vulnerable Requests utility. No authentication or user interaction is required on the target service. A malicious payload like http://localhost:\@169.254.169.254/latest/meta-data/ can target cloud instance metadata, internal admin panels, or unauthenticated services bound to loopback.
The upstream fix is applied in commit ff065cd24c2289878c0abdb9adbf91c305f0d70a, which hardens the SSRF check logic in the backend Requests utility. Source: significant-gravitas/autogpt commit ff065cd.
Detection Methods for CVE-2025-0454
Indicators of Compromise
- Outbound HTTP requests from AutoGPT processes targeting 127.0.0.1, ::1, 169.254.169.254, or RFC1918 ranges
- Application logs containing URLs with unusual authority constructs such as \@, %40, or embedded userinfo followed by external hostnames
- Unexpected access to cloud metadata endpoints or internal admin services originating from the AutoGPT host
Detection Strategies
- Inspect AutoGPT request logs for URLs whose urlparse hostname differs from the host actually contacted in egress telemetry
- Alert on AutoGPT agents issuing requests to private IP ranges, loopback, or metadata IPs
- Apply regex matching for suspicious URL patterns such as ://[^/]*[\\@] in user-submitted inputs
Monitoring Recommendations
- Forward AutoGPT backend logs and host network flows to a centralized analytics pipeline for correlation
- Baseline normal external destinations for AutoGPT agents and alert on deviations
- Track process-to-destination mappings for the AutoGPT runtime to detect SSRF-driven internal pivots
How to Mitigate CVE-2025-0454
Immediate Actions Required
- Upgrade significant-gravitas/autogpt to v0.4.0 or later, which includes commit ff065cd24c2289878c0abdb9adbf91c305f0d70a
- Audit AutoGPT workflows that accept user-supplied URLs and restrict their use until patched
- Rotate any cloud credentials reachable via instance metadata from hosts that ran vulnerable versions
Patch Information
The maintainers fixed the SSRF bypass in the AutoGPT backend. Apply the upstream patch from the GitHub commit ff065cd and update to a release that includes it. Additional context is available in the Huntr bounty listing.
Workarounds
- Place AutoGPT behind an egress proxy that blocks loopback, link-local, and RFC1918 destinations
- Run AutoGPT in a network namespace with no route to internal services or 169.254.169.254
- Enforce strict URL allow-lists at the network layer rather than within the application
# Example egress restriction using iptables to block metadata and internal ranges
iptables -A OUTPUT -m owner --uid-owner autogpt -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -m owner --uid-owner autogpt -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner autogpt -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner autogpt -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner autogpt -d 192.168.0.0/16 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
