CVE-2025-62616
Published: 04 February 2026
Summary
CVE-2025-62616 is a critical-severity SSRF (CWE-918) vulnerability in Agpt Autogpt Platform. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-62616 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the AutoGPT platform prior to version autogpt-platform-beta-v0.6.34. AutoGPT enables users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The flaw occurs in the SendDiscordFileBlock component, where the third-party aiohttp.ClientSession().get method directly processes unfiltered user-supplied URLs, allowing arbitrary server-initiated requests. Published on 2026-02-04, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction, requiring only network access and low attack complexity. By supplying a malicious URL, they can trick the AutoGPT server into making unintended requests, potentially accessing internal resources, services, or metadata behind firewalls, with high impacts on confidentiality, integrity, and availability.
The issue has been patched in autogpt-platform-beta-v0.6.34. Additional mitigation details are available in the GitHub security advisory at https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-ggc4-4fmm-9hmc.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206865
Vulnerability details
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.34, in SendDiscordFileBlock, the third-party library aiohttp.ClientSession().get is used directly to access the URL, but the input URL…
more
is not filtered, which will cause SSRF vulnerability. This issue has been patched in autogpt-platform-beta-v0.6.34.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: artificial intelligence, autogpt
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing AutoGPT component directly enables remote exploitation of the application to reach internal resources without auth.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of user-supplied URLs before processing them with aiohttp.ClientSession().get to block SSRF exploitation.
Enforces application-level policies restricting outbound information flows to only authorized URLs, preventing the server from making requests to internal or malicious endpoints.
Implements network boundary controls like firewalls to monitor and block unauthorized outbound connections from the AutoGPT server to internal resources targeted by SSRF.