Cyber Resilience

CVE-2025-62616

CriticalPublic PoC

Published: 04 February 2026

Published
04 February 2026
Modified
17 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-62616 is a critical-severity SSRF (CWE-918) vulnerability in Agpt Autogpt Platform. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-62616 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the AutoGPT platform prior to version autogpt-platform-beta-v0.6.34. AutoGPT enables users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The flaw occurs in the SendDiscordFileBlock component, where the third-party aiohttp.ClientSession().get method directly processes unfiltered user-supplied URLs, allowing arbitrary server-initiated requests. Published on 2026-02-04, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction, requiring only network access and low attack complexity. By supplying a malicious URL, they can trick the AutoGPT server into making unintended requests, potentially accessing internal resources, services, or metadata behind firewalls, with high impacts on confidentiality, integrity, and availability.

The issue has been patched in autogpt-platform-beta-v0.6.34. Additional mitigation details are available in the GitHub security advisory at https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-ggc4-4fmm-9hmc.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.34, in SendDiscordFileBlock, the third-party library aiohttp.ClientSession().get is used directly to access the URL, but the input URL…

more

is not filtered, which will cause SSRF vulnerability. This issue has been patched in autogpt-platform-beta-v0.6.34.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: artificial intelligence, autogpt

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in public-facing AutoGPT component directly enables remote exploitation of the application to reach internal resources without auth.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-62615Same product: Agpt Autogpt Platform
CVE-2025-0454Same product: Agpt Autogpt Platform
CVE-2025-22603Same product: Agpt Autogpt Platform
CVE-2026-24780Same product: Agpt Autogpt Platform
CVE-2025-1040Same product: Agpt Autogpt Platform
CVE-2026-26020Same product: Agpt Autogpt Platform
CVE-2026-22038Same product: Agpt Autogpt Platform
CVE-2026-7158Shared CWE-918
CVE-2026-32871Shared CWE-918
CVE-2026-2654Shared CWE-918

Affected Assets

agpt
autogpt platform
≤ 0.6.34

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of user-supplied URLs before processing them with aiohttp.ClientSession().get to block SSRF exploitation.

prevent

Enforces application-level policies restricting outbound information flows to only authorized URLs, preventing the server from making requests to internal or malicious endpoints.

preventdetect

Implements network boundary controls like firewalls to monitor and block unauthorized outbound connections from the AutoGPT server to internal resources targeted by SSRF.

References