CVE-2026-42345 Overview
FastGPT is an open-source AI Agent building platform developed by labring. CVE-2026-42345 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] affecting FastGPT versions 4.14.11 and prior. The isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded blocklist. Attackers can bypass this check using at least seven different URL encoding techniques that resolve to the same metadata service. At the time of publication, no patches are available.
Critical Impact
Authenticated attackers can reach cloud metadata endpoints and exfiltrate instance credentials from AWS, GCP, or Azure environments hosting FastGPT.
Affected Products
- FastGPT versions 4.14.11 and prior
- Self-hosted FastGPT deployments on AWS, GCP, and Azure
- FastGPT instances with default CHECK_INTERNAL_IP configuration
Discovery Timeline
- 2026-05-08 - CVE-2026-42345 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42345
Vulnerability Analysis
The vulnerability resides in FastGPT's internal address validation logic. The isInternalAddress() function attempts to block requests to cloud metadata services by comparing the request URL prefix against a hardcoded blocklist. The implementation relies on fullUrl.startsWith(), which performs strict string matching against canonical metadata endpoint URLs.
This approach fails to canonicalize the URL before comparison. URL encoding variations, alternate IP representations, and hostname obfuscation techniques produce request targets that resolve to 169.254.169.254 but do not match the blocklist string prefixes. The advisory documents at least seven distinct encoding techniques that defeat this check.
A secondary control, isInternalIPv4/isInternalIPv6, would normally block private IP ranges. However, this broader check depends on the CHECK_INTERNAL_IP environment variable, which defaults to false rather than 'true'. The default configuration leaves the bypass paths fully exploitable.
Root Cause
The root cause is improper input validation combined with insecure default configuration. String-prefix matching cannot enforce URL allow/deny policy because HTTP clients decode and normalize URLs before resolution. The check operates on the pre-normalized form while the underlying fetch operates on the normalized form.
Attack Vector
An authenticated low-privilege user supplies a crafted URL to a FastGPT feature that performs server-side HTTP requests. The encoded URL bypasses isInternalAddress() because the literal prefix does not appear in the blocklist. FastGPT then issues a request to the cloud metadata service from the host instance. The response, containing IAM credentials or instance identity tokens, is returned to the attacker through the application response path.
The vulnerability requires network access to the FastGPT instance and valid low-privilege authentication. No user interaction is needed. The scope changes because credentials retrieved from metadata services grant access to resources outside the FastGPT process boundary.
Detection Methods for CVE-2026-42345
Indicators of Compromise
- Outbound HTTP requests from FastGPT hosts to 169.254.169.254, metadata.google.internal, or metadata.azure.com
- Application logs showing URL parameters containing percent-encoded sequences, decimal IP notation, or octal IP notation targeting link-local addresses
- Unexpected use of FastGPT-issued IAM credentials from non-FastGPT source IPs
Detection Strategies
- Inspect FastGPT request logs for user-supplied URLs containing %31%36%39, 0x, or non-standard host encodings
- Correlate FastGPT process network connections against the cloud provider metadata IP range at the host or VPC flow log level
- Alert on cloud audit events where FastGPT instance role credentials are used from unexpected geographic regions or services
Monitoring Recommendations
- Enable VPC flow logs and forward to a centralized analytics platform for metadata endpoint access review
- Monitor IMDS (Instance Metadata Service) access patterns and enforce IMDSv2 session-token requirements on AWS
- Track FastGPT outbound destinations and baseline expected third-party API endpoints
How to Mitigate CVE-2026-42345
Immediate Actions Required
- Set the CHECK_INTERNAL_IP environment variable to the string 'true' to enable private IP range filtering
- Enforce IMDSv2 on AWS EC2 instances hosting FastGPT to require session tokens for metadata access
- Restrict FastGPT instance IAM roles to the minimum permissions needed for application operation
- Place FastGPT behind an egress proxy that blocks link-local and private address ranges
Patch Information
No official patch is available at the time of publication. Monitor the GitHub Security Advisory GHSA-jhqw-944x-xh94 for updates from the FastGPT maintainers.
Workarounds
- Block outbound traffic from FastGPT hosts to 169.254.169.254 and other cloud metadata endpoints via host firewall or security group
- Deploy FastGPT in a network segment without access to cloud metadata services where feasible
- Add a reverse proxy or WAF rule rejecting URL parameters containing encoded representations of 169.254.169.254
# Configuration example: enable internal IP filtering and block metadata egress
export CHECK_INTERNAL_IP='true'
# AWS: enforce IMDSv2 on the host instance
aws ec2 modify-instance-metadata-options \
--instance-id i-xxxxxxxx \
--http-tokens required \
--http-endpoint enabled
# Linux host firewall: drop egress to link-local metadata service
iptables -A OUTPUT -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
