AutoGPT DNS Rebinding Vulnerability Leading to Server-Side Request Forgery

A server-side request forgery (SSRF) vulnerability has been identified in AutoGPT versions prior to 0.6.1. This issue arises from DNS rebinding attacks that exploit the application's request validation process. AutoGPT includes a wrapper around Python's requests library, designed to prevent SSRF by blocking access to local IPv4 and IPv6 addresses. However, the validation is insufficient, as a DNS server can return a non-blocked address with a TTL of 0, allowing the initial request to be validated as safe. Once the URL is validated, the actual request is made, during which the hostname is resolved again, potentially leading to an invalid IP address being accessed. This vulnerability could be exploited to leak authentication headers and cookies by following open redirects that are not properly sanitized.

Impact

Exploitation of this vulnerability bypasses AutoGPT's built-in SSRF protections, potentially allowing access to local services or previously blocked addresses. This could lead to unauthorized data exposure, such as leaking authentication headers or private cookies, which might contain sensitive information or credentials.

Reproduction

The vulnerability can be reproduced by using AutoGPT to send a request that includes an authorization header, such as a GitHub API request. If the request is redirected to a domain that the attacker controls, the authorization header will be leaked. This can be automated with a tool that performs DNS rebinding, resolving the same hostname to different IP addresses in quick succession, exploiting the validation flaw.

Remediation

Users can update to AutoGPT version 0.6.1 or later, where this vulnerability has been fixed.