Cyber Posture

CVE-2025-22603

HighPublic PoC

Published: 10 March 2025

Published
10 March 2025
Modified
28 January 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0022 44.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22603 is a high-severity SSRF (CWE-918) vulnerability in Agpt Autogpt Platform. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Other ATLAS/OWASP Terms risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of information inputs like URLs in the Send Web Request component, directly preventing SSRF by filtering unrestricted IPv6 addresses.

AC-4 Information Flow Enforcement good match
prevent

AC-4 enforces information flow control policies that restrict server-side requests to authorized destinations, blocking SSRF exploitation to unauthorized IPv6 services.

SC-7 Boundary Protection good match
prevent

SC-7 monitors and controls communications at system boundaries, mitigating SSRF by preventing forged requests from reaching internal or IPv6 services.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1018 Remote System Discovery Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
attack.mitre.org →
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
attack.mitre.org →
Why these techniques?

The SSRF vulnerability in the public-facing AutoGPT platform (T1190) allows attackers to force the server to make unauthorized requests to arbitrary IPv6 addresses, facilitating remote system discovery (T1018) and network service discovery (T1046) of internal resources.

NVD Description

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Versions prior to autogpt-platform-beta-v0.4.2 contains a server-side request forgery (SSRF) vulnerability inside component (or block) `Send Web Request`. The root…

more

cause is that IPV6 address is not restricted or filtered, which allows attackers to perform a server side request forgery to visit an IPV6 service. autogpt-platform-beta-v0.4.2 fixes the issue.

Deeper analysisAI

CVE-2025-22603 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the AutoGPT platform in versions prior to autogpt-platform-beta-v0.4.2. AutoGPT is a platform that enables users to create, deploy, and manage continuous artificial intelligence agents for automating complex workflows. The flaw resides in the `Send Web Request` component, where IPv6 addresses are not restricted or filtered, allowing attackers to forge server-side requests to IPv6 services. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and was published on 2025-03-10.

Low-privileged users (PR:L) can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the `Send Web Request` component, attackers can direct the server to make unauthorized requests to IPv6 services, potentially resulting in high confidentiality and integrity impacts, such as accessing internal resources or manipulating data.

The vulnerability is addressed in autogpt-platform-beta-v0.4.2, as detailed in the GitHub security advisory GHSA-4c8v-hwxc-2356 and the fixing commit 26214e1b2c6777e0fae866642b23420adaadd6c4. Additional analysis is provided in the Notion page at https://boatneck-faucet-cba.notion.site/SSRF-of-AutoGPT-153b650a4d88804d923ad65a015a7d61 and the affected source code at https://github.com/Significant-Gravitas/AutoGPT/blob/2121ffd06b26a438706bf642372cc46d81c94ddc/autogpt_platform/backend/backend/util/request.py#L11. Security practitioners should ensure deployment of the patched version to mitigate the issue.

Details

CWE(s)
CWE-918

Affected Products

agpt
autogpt platform
≤ 0.4.2

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
AutoGPT is explicitly described as a platform for creating, deploying, and managing continuous artificial intelligence agents, directly aligning with AI Agent Protocols and Integrations category.

CVEs Like This One

CVE-2025-0454Same product: Agpt Autogpt Platform
CVE-2025-62616Same product: Agpt Autogpt Platform
CVE-2025-62615Same product: Agpt Autogpt Platform
CVE-2026-24780Same product: Agpt Autogpt Platform
CVE-2025-1040Same product: Agpt Autogpt Platform
CVE-2026-26020Same product: Agpt Autogpt Platform
CVE-2026-22038Same product: Agpt Autogpt Platform
CVE-2026-34476Shared CWE-918
CVE-2026-5346Shared CWE-918
CVE-2026-27696Shared CWE-918

References