Cyber Resilience

CVE-2025-1040

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
15 October 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1160 93.8th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1040 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Agpt Autogpt Platform. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

AutoGPT versions 0.3.4 and earlier contain a server-side template injection vulnerability in the AgentOutputBlock component that allows remote code execution. The flaw stems from unsafe handling of user-supplied format strings that are passed directly to the Jinja2 templating engine without proper sanitization or sandboxing, enabling arbitrary command execution on the underlying host. The issue is tracked under CWE-1336 and carries a CVSS 3.1 score of 8.8.

An authenticated attacker with network access can supply a malicious format string to trigger the injection and obtain code execution privileges equivalent to the AutoGPT process. Successful exploitation grants full control over the host system, including the ability to read, modify, or delete data and potentially pivot to other resources.

The vulnerability is resolved in AutoGPT 0.4.0. The referenced commit on GitHub and the associated huntr.com bounty reports document the patch that addresses the unsafe template handling in AgentOutputBlock. The EPSS score has remained at 0.1160 with no material increase since disclosure.

EU & UK References

Vulnerability details

AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote Code Execution (RCE). The vulnerability arises from the improper handling of user-supplied format strings in the `AgentOutputBlock` implementation, where malicious input is…

more

passed to the Jinja2 templating engine without adequate security measures. Attackers can exploit this flaw to execute arbitrary commands on the host system. The issue is fixed in version 0.4.0.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: autogpt

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

SSTI vulnerability directly enables remote exploitation of the application for arbitrary command execution (RCE) on the host.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-62615Same product: Agpt Autogpt Platform
CVE-2025-0454Same product: Agpt Autogpt Platform
CVE-2025-62616Same product: Agpt Autogpt Platform
CVE-2026-24780Same product: Agpt Autogpt Platform
CVE-2026-26020Same product: Agpt Autogpt Platform
CVE-2025-22603Same product: Agpt Autogpt Platform
CVE-2026-22038Same product: Agpt Autogpt Platform
CVE-2025-53833Shared CWE-1336
CVE-2024-57177Shared CWE-1336
CVE-2026-34906Shared CWE-1336

Affected Assets

agpt
autogpt platform
≤ 0.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of user-supplied format strings before passing to the Jinja2 templating engine, directly preventing SSTI exploitation.

prevent

Mandates timely patching to AutoGPT version 0.4.0, which remediates the improper input handling flaw leading to RCE.

prevent

Enforces secure configuration settings for the Jinja2 templating engine, such as sandboxing or restricted features, to mitigate unsafe template rendering.

References