FastGPT NoSQL Injection Vulnerability in Password Login Endpoint Allows Authentication Bypass
Vulnerability
A NoSQL injection vulnerability has been identified in FastGPT, an AI agent building platform, in versions prior to 4.14.9.5. The issue arises in the password-based login endpoint, where TypeScript type assertions are used without proper runtime validation. This flaw enables an unauthenticated attacker to inject a MongoDB query operator, such as 'not equal to' an invalid password, bypassing the password verification process. As a result, the attacker can log in as any user, including the root administrator.
Impact
Exploitation of this vulnerability allows for authentication bypass, enabling attackers to gain unauthorized access to user accounts, including those with administrative privileges.
Reproduction
To reproduce this vulnerability, send a POST request to the '/api/support/user/account/loginByPassword' endpoint. Include a JSON payload that contains a valid username, a password field populated with a MongoDB query operator object (such as 'not equal to' an invalid password), and a verification code.
Remediation
Users are advised to update to FastGPT version 4.14.9.5 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.