CVE-2025-31491 Overview
CVE-2025-31491 is a high-severity Information Leakage vulnerability affecting AutoGPT, a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The vulnerability exists in the request wrapper implementation located in autogpt_platform/backend/backend/util/request.py, which fails to properly handle security-sensitive headers during HTTP redirects.
Prior to version 0.6.1, AutoGPT's custom request wrapper manually re-requests redirect locations without accounting for security-sensitive headers that should not be sent cross-origin. This includes the Authorization and Proxy-Authorization headers, as well as cookies. When combined with an open redirect vulnerability in a third-party service (such as GitHub API), an attacker could leak authentication credentials and private cookies.
Critical Impact
Authentication credentials including Authorization headers and private cookies can be leaked to attacker-controlled domains through redirect manipulation, potentially compromising GitHub API credentials and other sensitive authentication tokens used by AutoGPT agents.
Affected Products
- AutoGPT Platform versions prior to 0.6.1
- agpt autogpt_platform
Discovery Timeline
- 2025-04-15 - CVE CVE-2025-31491 published to NVD
- 2025-08-05 - Last updated in NVD database
Technical Details for CVE-2025-31491
Vulnerability Analysis
The vulnerability stems from a flawed implementation of HTTP redirect handling in AutoGPT's custom request wrapper. Standard HTTP clients following security best practices will strip sensitive headers like Authorization when redirecting to a different origin to prevent credential leakage. However, AutoGPT's wrapper specifically does NOT follow redirects for the first request, instead manually re-requesting the new location when allow_redirects is set to True (the default behavior).
This manual re-request implementation has a fundamental security flaw: it does not strip security-sensitive headers that should never be sent cross-origin. When the wrapper encounters a redirect, it sends the same headers—including authentication tokens—to the redirect target, regardless of whether that target is on a different domain.
The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-601 (URL Redirection to Untrusted Site), reflecting both the information disclosure and open redirect aspects of this security issue.
Root Cause
The root cause is the improper implementation of redirect handling in the custom request wrapper at autogpt_platform/backend/backend/util/request.py. Unlike standard HTTP libraries that automatically strip sensitive headers when following cross-origin redirects, AutoGPT's implementation manually re-requests the redirect location while preserving all original headers, including Authorization, Proxy-Authorization, and cookies.
This design oversight means that any redirect response (whether from a legitimate service misconfiguration or an exploited open redirect vulnerability) will cause sensitive authentication credentials to be forwarded to the redirect target.
Attack Vector
An attacker can exploit this vulnerability through the following attack chain:
- The attacker identifies an open redirect vulnerability on a trusted service that AutoGPT interacts with (e.g., GitHub API)
- The attacker crafts a malicious URL that appears to point to the legitimate service but redirects to an attacker-controlled domain
- When AutoGPT makes an authenticated request to this URL, the request wrapper follows the redirect and sends the Authorization header to the attacker's domain
- The attacker captures the leaked credentials and can use them to access the victim's GitHub account or other services
For example, in autogpt_platform/backend/backend/blocks/github/_api.py, an Authorization header is set when retrieving data from the GitHub API. If an attacker can coerce AutoGPT into visiting a crafted redirect URL (using path traversal techniques like /../../../../../redirect/?url=https://attacker.com/), the GitHub credentials will be leaked to the attacker's server.
Detection Methods for CVE-2025-31491
Indicators of Compromise
- Outbound HTTP requests from AutoGPT instances containing Authorization headers to unexpected or suspicious domains
- Log entries showing redirect chains where authentication headers were sent to non-GitHub or non-configured API endpoints
- Network traffic patterns showing AutoGPT connecting to unknown external hosts after initially contacting legitimate API endpoints
- Unusual API activity on GitHub or other integrated services indicating potential credential compromise
Detection Strategies
- Monitor outbound network traffic from AutoGPT instances for connections to unexpected domains following API requests
- Implement network-level logging to track redirect chains and identify cross-origin requests containing sensitive headers
- Review application logs for HTTP redirect responses (301, 302, 303, 307, 308) and subsequent requests to different domains
- Configure intrusion detection systems to alert on outbound requests containing Authorization headers to non-whitelisted domains
Monitoring Recommendations
- Deploy web application firewalls (WAF) to inspect outbound traffic and block requests with authentication headers to unauthorized destinations
- Implement DNS monitoring to detect connections to suspicious or newly registered domains from AutoGPT infrastructure
- Set up alerting for any GitHub API or other integration credential usage from unexpected IP addresses or geographic locations
How to Mitigate CVE-2025-31491
Immediate Actions Required
- Upgrade AutoGPT Platform to version 0.6.1 or later immediately
- Rotate all API credentials (GitHub tokens, authentication keys) that may have been used with affected AutoGPT versions
- Review audit logs for any suspicious API activity that may indicate credential compromise
- Temporarily disable external API integrations if immediate patching is not possible
Patch Information
The vulnerability has been fixed in AutoGPT Platform version 0.6.1. The fix ensures that security-sensitive headers are properly stripped when following cross-origin redirects, preventing credential leakage. Users should update to this version or later to remediate the vulnerability. For detailed information about the fix, refer to the GitHub Security Advisory.
Workarounds
- Configure AutoGPT to set allow_redirects=False in request configurations to prevent automatic redirect following
- Implement network-level controls to restrict AutoGPT's ability to connect to non-whitelisted domains
- Use a forward proxy that strips sensitive headers for cross-origin redirects
- Limit the permissions and scope of API credentials used with AutoGPT to minimize impact if credentials are leaked
# Upgrade AutoGPT to patched version
pip install autogpt-platform>=0.6.1
# Or update via git
cd /path/to/AutoGPT
git pull origin main
git checkout v0.6.1
pip install -e .
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
