CVE-2025-1040
Published: 20 March 2025
Summary
CVE-2025-1040 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Agpt Autogpt Platform. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
AutoGPT versions 0.3.4 and earlier contain a server-side template injection vulnerability in the AgentOutputBlock component that allows remote code execution. The flaw stems from unsafe handling of user-supplied format strings that are passed directly to the Jinja2 templating engine without proper sanitization or sandboxing, enabling arbitrary command execution on the underlying host. The issue is tracked under CWE-1336 and carries a CVSS 3.1 score of 8.8.
An authenticated attacker with network access can supply a malicious format string to trigger the injection and obtain code execution privileges equivalent to the AutoGPT process. Successful exploitation grants full control over the host system, including the ability to read, modify, or delete data and potentially pivot to other resources.
The vulnerability is resolved in AutoGPT 0.4.0. The referenced commit on GitHub and the associated huntr.com bounty reports document the patch that addresses the unsafe template handling in AgentOutputBlock. The EPSS score has remained at 0.1160 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6829
Vulnerability details
AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote Code Execution (RCE). The vulnerability arises from the improper handling of user-supplied format strings in the `AgentOutputBlock` implementation, where malicious input is…
more
passed to the Jinja2 templating engine without adequate security measures. Attackers can exploit this flaw to execute arbitrary commands on the host system. The issue is fixed in version 0.4.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: autogpt
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI vulnerability directly enables remote exploitation of the application for arbitrary command execution (RCE) on the host.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of user-supplied format strings before passing to the Jinja2 templating engine, directly preventing SSTI exploitation.
Mandates timely patching to AutoGPT version 0.4.0, which remediates the improper input handling flaw leading to RCE.
Enforces secure configuration settings for the Jinja2 templating engine, such as sandboxing or restricted features, to mitigate unsafe template rendering.