AutoGPT SendEmailBlock Server-Side Request Forgery Vulnerability Allowing Internal Network Scanning

A server-side request forgery (SSRF) vulnerability has been identified in AutoGPT versions 0.1.0 prior to 0.6.51. The issue arises in the SendEmailBlock component, which accepts user-defined SMTP server addresses and ports. These inputs are passed directly to Python's smtplib.SMTP() without any IP address validation, bypassing the application's SSRF protections. This vulnerability allows authenticated users on shared AutoGPT deployments to conduct non-blind internal network port scans and service fingerprinting. The smtplib library reveals TCP banners from connected services, which are then displayed as output in the AutoGPT interface.

Impact

Exploitation of this vulnerability allows for internal network port scanning and service fingerprinting. Open ports can be identified, and version information from various services can be extracted, potentially leading to further exploitation.

Reproduction

To reproduce this vulnerability, create a workflow with a SendEmailBlock node. Input a private IP address and an open port, such as 22 for SSH, into the SMTP server and port fields. Execute the workflow and check the output for the TCP banner response, which will indicate successful exploitation.

Remediation

Users can update to AutoGPT version 0.6.52, which addresses this vulnerability by implementing proper validation of user-supplied SMTP server and port inputs.