AutoGPT Logging-Related Disk Exhaustion Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in AutoGPT versions prior to 0.6.32. The issue arises from an unbounded log size in Docker container deployments, which can lead to excessive disk usage and resource exhaustion. This vulnerability is particularly concerning during periods of high user activity, where the accumulation of log data can overwhelm server disk resources, causing service disruptions.

Impact

Exploitation of this vulnerability leads to disk resource exhaustion, causing a denial-of-service condition where the application or service becomes unavailable due to lack of disk space.

Reproduction

The vulnerability can be reproduced by deploying AutoGPT in a Docker container using a version prior to 0.6.32. Once the application is running, generate a high volume of user activity. The lack of log size limits in the Docker container deployment will cause the application logs to grow unchecked, leading to excessive disk usage. Monitor the server disk space to observe the exhaustion of resources, which will cause the application or service to become unavailable.

Remediation

Update to AutoGPT version 0.6.32 or later, where this vulnerability has been fixed. After updating, ensure that the Docker logging options are set to limit log size and prevent excessive disk usage. This can be done by adding a logging section in the Docker Compose file for the application services, specifying a maximum log file size and the number of files to retain.