CVE-2025-62616
Published: 04 February 2026
Summary
CVE-2025-62616 is a critical-severity SSRF (CWE-918) vulnerability in Agpt Autogpt Platform. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-supplied URLs before processing them with aiohttp.ClientSession().get to block SSRF exploitation.
Enforces application-level policies restricting outbound information flows to only authorized URLs, preventing the server from making requests to internal or malicious endpoints.
Implements network boundary controls like firewalls to monitor and block unauthorized outbound connections from the AutoGPT server to internal resources targeted by SSRF.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing AutoGPT component directly enables remote exploitation of the application to reach internal resources without auth.
NVD Description
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.34, in SendDiscordFileBlock, the third-party library aiohttp.ClientSession().get is used directly to access the URL, but the input URL…
more
is not filtered, which will cause SSRF vulnerability. This issue has been patched in autogpt-platform-beta-v0.6.34.
Deeper analysisAI
CVE-2025-62616 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the AutoGPT platform prior to version autogpt-platform-beta-v0.6.34. AutoGPT enables users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The flaw occurs in the SendDiscordFileBlock component, where the third-party aiohttp.ClientSession().get method directly processes unfiltered user-supplied URLs, allowing arbitrary server-initiated requests. Published on 2026-02-04, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction, requiring only network access and low attack complexity. By supplying a malicious URL, they can trick the AutoGPT server into making unintended requests, potentially accessing internal resources, services, or metadata behind firewalls, with high impacts on confidentiality, integrity, and availability.
The issue has been patched in autogpt-platform-beta-v0.6.34. Additional mitigation details are available in the GitHub security advisory at https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-ggc4-4fmm-9hmc.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: artificial intelligence