FastGPT Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in FastGPT versions prior to 4.14.7. This issue arises because FastGPT's web page acquisition and HTTP nodes must send data acquisition requests to the server, creating potential security risks. Although internal network isolation has been implemented in the deployment environment, this vulnerability highlights the need for stricter internal network address detection to prevent exploitation.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of a user, potentially allowing attackers to manipulate data or interactions within the FastGPT application.

Remediation

Users can update to FastGPT version 4.14.7 or later to address this vulnerability. Instructions for updating are available in the FastGPT release notes.