FastGPT NoSQL Injection Vulnerability in Password Change Endpoint Allows Account Takeover
Vulnerability
A NoSQL injection vulnerability has been identified in the password change endpoint of FastGPT, an AI agent building platform, in versions prior to 4.14.9.5. This vulnerability allows an authenticated attacker to bypass the 'old password' verification by injecting MongoDB query operators. As a result, an attacker with a low-privileged session can change their account password, or potentially the password of others by manipulating user IDs, without knowing the current password. This leads to full account takeover and persistence.
Impact
Exploitation of this vulnerability allows for unauthorized password changes, leading to account takeover.
Reproduction
To reproduce this vulnerability, send a POST request to the '/api/support/user/account/updatePasswordByOld' endpoint. Include a valid session token in the cookie and inject MongoDB query operators into the 'oldPsw' field to bypass the password verification. The 'newPsw' field can be used to set a new password, effectively taking over the account.
Remediation
Users can update to FastGPT version 4.14.9.5 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.