FastGPT Shared Axios SSRF Guard Bypass Vulnerability

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in FastGPT versions prior to 4.15.0-beta5. The issue arises because the application's shared SSRF guard only validates the initial request URL before it is sent via Axios, which by default follows redirects. This flaw allows an authenticated workflow user to manipulate an HTTP request node to call a user-controlled public URL that redirects to cloud metadata, loopback, or internal services that the guard would normally block if requested directly. The HTTP node then returns the response body to the workflow caller, effectively bypassing the SSRF protection.

Impact

Exploitation of this vulnerability allows authenticated users to use FastGPT as a proxy to access blocked internal services or cloud metadata, with the response being returned to the user, potentially exposing sensitive information.

Reproduction

To reproduce this vulnerability, an authenticated user can create a workflow that includes an HTTP request node. The user should configure this node to send a request to a public URL that they control, which is set up to redirect to a blocked internal service or cloud metadata endpoint. When the request is processed, the FastGPT SSRF guard will only validate the initial URL, allowing the redirected request to bypass the guard and access the blocked resource. The response from the internal service or metadata will be returned to the workflow caller, demonstrating the successful exploitation of the vulnerability.

Remediation

Users can upgrade to FastGPT version 4.15.0-beta5, where this vulnerability has been fixed.

Added: Jul 15, 2026, 3:33 PM
Updated: Jul 15, 2026, 3:33 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
0.6
exploitability
6.0
remediation
0.0
relevance
9.8
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.