CVE-2025-1040 Overview
CVE-2025-1040 is a Server-Side Template Injection (SSTI) vulnerability affecting AutoGPT versions 0.3.4 and earlier. The flaw exists in the AgentOutputBlock implementation, which passes user-supplied format strings to the Jinja2 templating engine without proper sanitization. Authenticated attackers can craft malicious template payloads that escape the sandbox and execute arbitrary commands on the host running AutoGPT. The maintainers fixed the issue in version 0.4.0. The CWE classification is [CWE-1336] (Improper Neutralization of Special Elements Used in a Template Engine).
Critical Impact
Successful exploitation grants attackers Remote Code Execution on the AutoGPT host, exposing API keys, agent data, and any system the AutoGPT process can reach.
Affected Products
- AutoGPT Platform versions 0.3.4 and earlier
- Significant Gravitas AutoGPT (agpt:autogpt_platform)
- All deployments using the vulnerable AgentOutputBlock component
Discovery Timeline
- 2025-03-20 - CVE-2025-1040 published to the National Vulnerability Database
- 2025-10-15 - Last updated in NVD database
Technical Details for CVE-2025-1040
Vulnerability Analysis
The vulnerability resides in the AgentOutputBlock implementation within AutoGPT. This component accepts a user-controlled format string and renders it through the Jinja2 templating engine. Jinja2 is rendered without a sandboxed environment or input filtering, so template expressions are evaluated with full access to Python object attributes.
Attackers who can submit or influence agent block configurations can supply Jinja2 syntax that traverses Python's object model. From there, they can reach built-in modules such as os or subprocess and execute shell commands. The exploit results in arbitrary code execution under the privileges of the AutoGPT process.
The issue has an EPSS score of 11.6% (93rd percentile), indicating elevated exploitation likelihood relative to the broader CVE population. No public proof-of-concept has been catalogued in Exploit-DB, and the vulnerability is not listed on the CISA KEV catalog.
Root Cause
The root cause is the use of an unsandboxed Jinja2 Environment to render attacker-controllable format strings. Jinja2's default environment allows access to Python object internals through attributes such as __class__, __mro__, and __subclasses__(). The AgentOutputBlock did not enforce input validation, allowlisting, or sandboxing on the format parameter before invoking the renderer.
Attack Vector
The attack vector is network-based and requires low privileges - any authenticated user able to configure or submit an agent block can supply the malicious format string. No user interaction is required. The vulnerable template rendering occurs server-side, so the payload executes on the AutoGPT backend.
Exploitation typically chains Jinja2 object traversal expressions to reach Python's subprocess or os.popen primitives. The attacker then issues arbitrary OS commands which are executed inline during template rendering. Refer to the Huntr Bounty Listing for additional technical context.
Detection Methods for CVE-2025-1040
Indicators of Compromise
- Unexpected child processes spawned by the AutoGPT Python process, such as /bin/sh, bash, curl, or wget
- Outbound network connections from the AutoGPT host to unknown infrastructure shortly after agent block submissions
- Jinja2 template strings in request bodies containing sequences like {{ followed by __class__, __subclasses__, __mro__, or __globals__
- New files written to AutoGPT working directories that were not produced by legitimate agent runs
Detection Strategies
- Inspect AutoGPT application logs for AgentOutputBlock invocations containing Jinja2 control structures ({%, {{) submitted by non-trusted users
- Apply WAF or reverse-proxy rules that flag template syntax in fields not expected to contain it
- Hunt for process-lineage anomalies where the Python AutoGPT process forks shells or interpreters
Monitoring Recommendations
- Forward AutoGPT API and process telemetry to a centralized SIEM for correlation against template injection signatures
- Baseline normal outbound network destinations from the AutoGPT host and alert on deviations
- Enable verbose audit logging on user-submitted block configurations to support post-incident review
How to Mitigate CVE-2025-1040
Immediate Actions Required
- Upgrade AutoGPT to version 0.4.0 or later, which removes the unsafe Jinja2 rendering path
- Restrict access to the AutoGPT platform so that only trusted, authenticated users can configure agent blocks
- Audit existing agent configurations for Jinja2 syntax in AgentOutputBlock format fields and remove suspicious entries
- Rotate any credentials, API keys, or tokens accessible from the AutoGPT host if exploitation is suspected
Patch Information
The fix is committed in the upstream AutoGPT repository and shipped in release 0.4.0. Review the patch in the GitHub Commit Overview for implementation details. The commit replaces unsafe template handling in the AgentOutputBlock to prevent attacker-controlled expressions from being evaluated.
Workarounds
- If upgrading is not immediately possible, disable or restrict the AgentOutputBlock until the patch can be applied
- Place the AutoGPT service behind an authenticated reverse proxy and enforce strict role-based access control
- Run AutoGPT in an isolated container with minimal filesystem and network privileges to limit the blast radius of any RCE
# Upgrade AutoGPT to the patched release
pip install --upgrade "agpt>=0.4.0"
# Verify the installed version
pip show agpt | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
