CVE-2025-1040

HighPublic PoC

Published: 20 March 2025

Published

20 March 2025

Modified

15 October 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.1160 93.7th percentile

Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1040 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Agpt Autogpt Platform. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of user-supplied format strings before passing to the Jinja2 templating engine, directly preventing SSTI exploitation.

SI-2 Flaw Remediation good match

prevent

Mandates timely patching to AutoGPT version 0.4.0, which remediates the improper input handling flaw leading to RCE.

CM-6 Configuration Settings partial match

prevent

Enforces secure configuration settings for the Jinja2 templating engine, such as sandboxing or restricted features, to mitigate unsafe template rendering.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

SSTI vulnerability directly enables remote exploitation of the application for arbitrary command execution (RCE) on the host.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote Code Execution (RCE). The vulnerability arises from the improper handling of user-supplied format strings in the `AgentOutputBlock` implementation, where malicious input is…

passed to the Jinja2 templating engine without adequate security measures. Attackers can exploit this flaw to execute arbitrary commands on the host system. The issue is fixed in version 0.4.0.

Deeper analysisAI

CVE-2025-1040 is a Server-Side Template Injection (SSTI) vulnerability affecting AutoGPT versions 0.3.4 and earlier. The flaw stems from improper handling of user-supplied format strings in the AgentOutputBlock implementation, where malicious input is passed directly to the Jinja2 templating engine without sufficient security controls, enabling Remote Code Execution (RCE). It is classified under CWE-1336 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low privileges, such as an authenticated user, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation involves injecting malicious templates that execute arbitrary commands on the host system, granting high-impact access to confidentiality, integrity, and availability.

The issue is addressed in AutoGPT version 0.4.0. The fixing commit is documented at https://github.com/significant-gravitas/autogpt/commit/6dba31e0215549604bdcc1aed24e3a1714e75ee2, with additional details available via the Huntr bounty report at https://huntr.com/bounties/b74ef75f-61d5-4422-ab15-9550c8b4f185.

Details

CWE(s): CWE-1336

Affected Products

agpt

autogpt platform

≤ 0.4.0

CVEs Like This One

CVE-2025-62616Same product: Agpt Autogpt Platform

CVE-2025-62615Same product: Agpt Autogpt Platform

CVE-2025-0454Same product: Agpt Autogpt Platform

CVE-2026-24780Same product: Agpt Autogpt Platform

CVE-2025-22603Same product: Agpt Autogpt Platform

CVE-2026-26020Same product: Agpt Autogpt Platform

CVE-2026-22038Same product: Agpt Autogpt Platform

CVE-2024-54954Shared CWE-1336

CVE-2025-53833Shared CWE-1336

CVE-2024-57177Shared CWE-1336

References

https://github.com/significant-gravitas/autogpt/commit/6dba31e0215549604bdcc1aed24e3a1714e75ee2
Patch · security@huntr.dev
https://huntr.com/bounties/b74ef75f-61d5-4422-ab15-9550c8b4f185
Exploit · security@huntr.dev
https://huntr.com/bounties/b74ef75f-61d5-4422-ab15-9550c8b4f185
Exploit · 134c704f-9b21-4f2e-91b3-4a467353bcc0