Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible with low-privilege authenticated access; full server memory exhaustion constitutes high - not low - availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.32, there is a DoS vulnerability in AITextSummarizerBlock. Malicious users can amplify their input. For example, if a malicious user inputs 10K of content, the server will consume 50G of memory, eventually causing memory resources to be exhausted, resulting in DoS. This vulnerability is fixed in 0.6.32.
AnalysisAI
Memory exhaustion in AutoGPT's AITextSummarizerBlock allows authenticated users to trigger extreme resource amplification - approximately 10 KB of crafted input causes the server to allocate roughly 50 GB of memory, crashing the platform for all users. All versions prior to 0.6.32 are affected per the vendor's GitHub Security Advisory (GHSA-955p-gpfx-r66j). No public exploit or CISA KEV listing has been identified, but the low attack complexity for any authenticated user makes this a realistic internal or multi-tenant threat.
Technical ContextAI
AutoGPT (by Significant-Gravitas) is a workflow automation platform for building and running autonomous AI agents. The vulnerable component, AITextSummarizerBlock, processes text content for AI-based summarization and fails to enforce limits on memory allocated during processing, conforming to CWE-770 (Allocation of Resources Without Limits or Throttling). The amplification ratio is extreme - approximately 5,000x input-to-memory - suggesting the block may be constructing unbounded intermediate data structures, tokenized representations, or context windows proportional to input without capping allocation. The affected CPE is cpe:2.3:a:significant-gravitas:autogpt:*:*:*:*:*:*:*:*, covering all releases before 0.6.32.
RemediationAI
Vendor-released patch: 0.6.32. Upgrade AutoGPT to version 0.6.32 or later, as confirmed by the vendor's GitHub Security Advisory at https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-955p-gpfx-r66j. If immediate upgrade is not possible, apply compensating controls: restrict access to the AITextSummarizerBlock feature to a minimal set of trusted users via platform-level RBAC; enforce maximum request body size limits at the reverse proxy or API gateway layer (e.g., nginx client_max_body_size) to prevent oversized payloads from reaching the block; and impose container or cgroup memory limits on the AutoGPT server process so that any single runaway allocation is bounded and causes only a process restart rather than host-level exhaustion. Note that capping memory at the container level may cause the AutoGPT process to be OOM-killed mid-request, which can introduce data loss for in-flight workflows.
DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScri
Denial of service in Significant-Gravitas AutoGPT prior to 0.6.63 allows remote attackers to exhaust host disk space by
Denial of service in AutoGPT prior to 0.6.63 allows remote unauthenticated users to exhaust host disk space by chaining
Denial of service in AutoGPT versions prior to 0.6.63 allows remote unauthenticated attackers to exhaust disk space on t
Resource exhaustion denial-of-service in Significant Gravitas AutoGPT versions prior to 0.6.63 allows remote unauthentic
Server-side request forgery in the AutoGPT Platform (versions prior to 0.6.52) lets an authenticated user abuse the Send
Unauthenticated denial-of-service in AutoGPT Platform versions 0.4.2 through 0.6.51 allows remote attackers to exhaust s
Authenticated session hijacking in Significant Gravitas AutoGPT versions 0.6.36 through 0.6.50 allows any logged-in user
Disk exhaustion denial-of-service in Significant Gravitas AutoGPT prior to version 0.6.63 allows authenticated platform
{webhook_id}/ping` endpoint performs no ownership check - only verifying that a caller is authenticated, not that the ta
Memory amplification denial-of-service in AutoGPT's ExtractTextInformationBlock enables authenticated users to exhaust s
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210364