Skip to main content

AutoGPT CVE-2025-32422

| EUVDEUVD-2025-210280 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-18 GitHub_M
8.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable workflow submission with no auth or interaction in default AutoGPT deployments yields AV:N/AC:L/PR:N/UI:N; impact is pure disk-exhaustion DoS, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 18, 2026 - 19:01 EUVD
Analysis Generated
Jun 18, 2026 - 17:03 vuln.today

DescriptionCVE.org

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, StepThroughItemsBlock can iterate all the contents in a list and send them to FileStoreBlock for downloading one by one. Although FileStoreBlock has access time limits for downloading files, StepThroughItemsBlock can be used to slowly iterate and download relatively small files (e.g., 100M) multiple times. StepThroughItemsBlock does not limit the number of loops. In addition, FileStoreBlock does not limit the amount of disk space consumed in the current working directory. When a malicious user chooses to download too many videos, the disk space will eventually run out, causing a DoS. Version 0.6.63 patches the issue.

AnalysisAI

Denial of service in AutoGPT versions prior to 0.6.63 allows remote unauthenticated attackers to exhaust disk space on the host running the workflow automation platform by abusing the StepThroughItemsBlock to repeatedly drive FileStoreBlock downloads. The platform's StepThroughItemsBlock has no loop cap and FileStoreBlock enforces no working-directory disk quota, so an attacker can iteratively download moderately sized files (e.g., 100MB) until storage is exhausted. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-9fr4-9jj9-mhh6 confirms the issue and the fix in 0.6.63.

Technical ContextAI

AutoGPT (cpe:2.3:a:significant-gravitas:autogpt) is a Python-based workflow automation platform that chains together composable 'blocks' to build autonomous AI agent pipelines. Two such blocks interact unsafely here: StepThroughItemsBlock iterates over an arbitrary input list and forwards each element to the next block, and FileStoreBlock retrieves a file from a URL into the current working directory. The root cause maps to CWE-400 (Uncontrolled Resource Consumption): neither block enforces an upper bound - StepThroughItemsBlock has no maximum iteration count, and FileStoreBlock enforces only a per-download time/access window rather than a cumulative disk-space quota. Chained together, they form an unbounded download loop that writes to local storage with no aggregate ceiling.

RemediationAI

Vendor-released patch: upgrade AutoGPT to version 0.6.63 or later, which addresses the issue per advisory GHSA-9fr4-9jj9-mhh6 (https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-9fr4-9jj9-mhh6). Where immediate patching is not possible, compensating controls include restricting who can create or submit workflows so untrusted users cannot author graphs containing StepThroughItemsBlock+FileStoreBlock chains (trade-off: limits multi-tenant functionality), placing the AutoGPT working directory on a dedicated filesystem or volume with a hard quota so disk exhaustion cannot impact the rest of the host (trade-off: legitimate large workflows may fail), and adding monitoring/alerting on working-directory growth rate plus egress traffic from FileStore downloads to detect abuse early (trade-off: detective rather than preventive). Network-level egress filtering to constrain which URLs FileStoreBlock can reach further reduces the attack surface but may break legitimate agent workflows.

CVE-2026-55237 HIGH
8.8 Jun 18

DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScri

CVE-2025-32437 HIGH
8.7 Jun 18

Denial of service in Significant-Gravitas AutoGPT prior to 0.6.63 allows remote attackers to exhaust host disk space by

CVE-2025-32424 HIGH
8.7 Jun 18

Denial of service in AutoGPT prior to 0.6.63 allows remote unauthenticated users to exhaust host disk space by chaining

CVE-2025-32392 HIGH
8.7 Jun 18

Resource exhaustion denial-of-service in Significant Gravitas AutoGPT versions prior to 0.6.63 allows remote unauthentic

CVE-2026-56663 HIGH
8.5 Jun 26

Server-side request forgery in the AutoGPT Platform (versions prior to 0.6.52) lets an authenticated user abuse the Send

CVE-2026-33232 HIGH
7.5 May 19

Unauthenticated denial-of-service in AutoGPT Platform versions 0.4.2 through 0.6.51 allows remote attackers to exhaust s

CVE-2026-30950 HIGH
7.1 May 18

Authenticated session hijacking in Significant Gravitas AutoGPT versions 0.6.36 through 0.6.50 allows any logged-in user

CVE-2025-32436 HIGH
7.1 Jun 18

Disk exhaustion denial-of-service in Significant Gravitas AutoGPT prior to version 0.6.63 allows authenticated platform

CVE-2026-56823 MEDIUM
5.4 Jun 26

{webhook_id}/ping` endpoint performs no ownership check - only verifying that a caller is authenticated, not that the ta

CVE-2025-32423 MEDIUM
5.3 Jun 26

Memory amplification denial-of-service in AutoGPT's ExtractTextInformationBlock enables authenticated users to exhaust s

CVE-2025-32394 MEDIUM
5.3 Jun 26

Memory exhaustion in AutoGPT's AITextSummarizerBlock allows authenticated users to trigger extreme resource amplificatio

Share

CVE-2025-32422 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy