FastGPT Unauthenticated Server-Side Request Forgery Vulnerability in HTTP Tools Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in FastGPT, an AI agent building platform, in versions prior to 4.14.9.5. The vulnerability exists in the HTTP tools testing endpoint, which is exposed without authentication. This endpoint functions as a full HTTP proxy, allowing users to send requests to internal services and external destinations, including cloud metadata services. The lack of authentication enables attackers to exploit the endpoint and access sensitive data, such as third-party API keys and internal MongoDB diagnostic information.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal services and data. Attackers can steal API keys from integrated model providers, such as OpenAI and DeepSeek, leading to financial loss and unauthorized usage of these services. Additionally, the vulnerability allows access to internal MongoDB data and the ability to interact with other Docker services, such as Redis and PostgreSQL. On cloud deployments, it could also enable theft of IAM credentials from metadata services.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the '/api/core/app/httpTools/runTool' endpoint without any authentication. The request must include a 'baseUrl' parameter pointing to an internal service, such as MongoDB or the AI Proxy management API, along with any necessary headers or body data. Once the request is processed, the response will contain the data accessed from the internal service, demonstrating the successful exploitation of the SSRF vulnerability.

Remediation

Users are advised to update to FastGPT version 4.14.9.5 or later, where this vulnerability has been patched. For those using earlier versions, it is recommended to add authentication middleware to the HTTP tools endpoint, implement SSRF protection by validating 'baseUrl' parameters, change the default AI Proxy ADMIN_KEY to a stronger value, and ensure proper network segmentation to restrict access to internal services.