CVE-2025-22603 Overview
CVE-2025-22603 is a Server-Side Request Forgery (SSRF) vulnerability in the AutoGPT Platform, an open-source system for building and running autonomous AI agents. The flaw resides in the Send Web Request block, where the URL validation logic blocks internal IPv4 ranges but fails to filter IPv6 addresses. Attackers can craft requests that force the AutoGPT backend to reach internal IPv6 services, bypassing existing SSRF protections. Versions of autogpt-platform-beta prior to v0.4.2 are affected. The issue is tracked under [CWE-918].
Critical Impact
Unauthenticated attackers can coerce the AutoGPT backend into sending HTTP requests to internal IPv6-reachable services, exposing private network resources.
Affected Products
- AutoGPT Platform (agpt:autogpt_platform) beta releases prior to autogpt-platform-beta-v0.4.2
- Deployments using the Send Web Request agent block
- Self-hosted AutoGPT instances exposed to untrusted agent input
Discovery Timeline
- 2025-03-10 - CVE-2025-22603 published to NVD
- 2026-01-28 - Last updated in NVD database
Technical Details for CVE-2025-22603
Vulnerability Analysis
The AutoGPT Platform exposes a Send Web Request block that agents use to perform outbound HTTP calls. To prevent agents from probing internal infrastructure, the backend maintains a BLOCKED_IP_NETWORKS list in autogpt_platform/backend/backend/util/request.py. The pre-patch list enumerates private and reserved IPv4 ranges such as 10.0.0.0/8, 127.0.0.0/8, and 169.254.0.0/16, but it omits the equivalent IPv6 ranges.
An attacker who controls agent input or workflow definitions can submit a target URL that resolves to an IPv6 loopback (::1), link-local (fe80::/10), or unique local (fc00::/7) address. The backend resolves the host, fails to match any blocked IPv4 network, and issues the request. The response body and headers are returned to the calling agent context, enabling reconnaissance of internal IPv6 services, cloud metadata endpoints reachable over IPv6, and other backend systems.
Root Cause
The root cause is incomplete deny-list validation. The SSRF guard in request.py enforced IPv4 ranges only, leaving IPv6 destinations entirely unrestricted. Any host resolving to an IPv6 address bypassed the filter even when its IPv4 equivalent would have been blocked.
Attack Vector
Exploitation requires no authentication and no user interaction. An attacker submits a URL with an IPv6 host or a hostname whose DNS record returns an AAAA record pointing at an internal address. The Send Web Request block dispatches the request from the AutoGPT server, and the response is exposed to the attacker through the agent output.
# List of IP networks to block
BLOCKED_IP_NETWORKS = [
# --8<-- [start:BLOCKED_IP_NETWORKS]
# IPv4 Ranges
ipaddress.ip_network("0.0.0.0/8"), # "This" Network
ipaddress.ip_network("10.0.0.0/8"), # Private-Use
ipaddress.ip_network("127.0.0.0/8"), # Loopback
Source: GitHub Commit 26214e1. The patch extends BLOCKED_IP_NETWORKS to include IPv6 ranges, closing the bypass.
Detection Methods for CVE-2025-22603
Indicators of Compromise
- Outbound HTTP requests from the AutoGPT backend to IPv6 loopback (::1), link-local (fe80::/10), or unique local (fc00::/7) destinations.
- Agent execution logs showing Send Web Request blocks targeting hostnames that resolve only to AAAA records on internal subnets.
- Unexpected access patterns to cloud metadata services or internal APIs originating from the AutoGPT host.
Detection Strategies
- Inspect AutoGPT backend logs for Send Web Request invocations and correlate the target host against internal IPv6 allocations.
- Enable egress monitoring on the AutoGPT host to flag IPv6 connections to RFC 4193 unique local and RFC 4291 loopback ranges.
- Audit deployed agent workflows for user-controllable URL fields fed into the web request block.
Monitoring Recommendations
- Forward AutoGPT application logs and host network telemetry to a centralized analytics platform for SSRF pattern matching.
- Alert on DNS resolutions from the AutoGPT host that return AAAA records pointing inside the internal IPv6 plan.
- Track the deployed autogpt-platform-beta version through configuration management to confirm patch coverage.
How to Mitigate CVE-2025-22603
Immediate Actions Required
- Upgrade to autogpt-platform-beta-v0.4.2 or later, which adds IPv6 ranges to BLOCKED_IP_NETWORKS.
- Restrict outbound network access from the AutoGPT backend to only the destinations agents legitimately require.
- Review existing agent definitions and remove or sanitize user-controlled URLs fed into the Send Web Request block.
Patch Information
The fix is delivered in commit 26214e1 and described in the GitHub Security Advisory GHSA-4c8v-hwxc-2356. Operators should pull autogpt-platform-beta-v0.4.2 or newer and redeploy the backend container.
Workarounds
- Disable IPv6 on the AutoGPT backend host or container network if IPv6 egress is not required.
- Apply host firewall rules to deny outbound traffic to ::1/128, fc00::/7, fe80::/10, and any internal IPv6 prefixes.
- Place the AutoGPT backend behind an egress proxy that enforces an allow-list of external destinations.
# Example: drop outbound IPv6 traffic to internal ranges on the AutoGPT host
ip6tables -A OUTPUT -d ::1/128 -j REJECT
ip6tables -A OUTPUT -d fc00::/7 -j REJECT
ip6tables -A OUTPUT -d fe80::/10 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
