Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable and low-complexity, but exploitation requires the ability to author and run an agent graph, which in realistic deployments implies at least a low-privilege account; only availability is impacted.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, ScreenshotWebPageBlock will store the captured screenshots in a temporary directory. StepThroughItemsBlock can be used to iterate ScreenshotWebPageBlock multiple times. StepThroughItemsBlock does not limit the number of loops. In addition, ScreenshotWebPageBlock does not limit the amount of disk space consumed in the current working directory. When a malicious user chooses to screen shot many web pages, the disk space will eventually run out, causing a DoS. Version 0.6.63 patches the issue.
AnalysisAI
Denial of service in AutoGPT prior to 0.6.63 allows remote unauthenticated users to exhaust host disk space by chaining the StepThroughItemsBlock with the ScreenshotWebPageBlock to capture an unbounded number of screenshots into a temporary directory. No public exploit identified at time of analysis, but the attack requires no authentication and CVSS 4.0 rates availability impact as High (8.7).
Technical ContextAI
AutoGPT (Significant-Gravitas) is a workflow automation platform that composes AI agents from chainable 'Blocks'. The ScreenshotWebPageBlock writes captured page images to a temporary directory on the server's working filesystem, while the StepThroughItemsBlock provides iteration over a list of inputs. Neither block enforces a cap on iteration count nor on cumulative disk usage, which is a classic CWE-400 Uncontrolled Resource Consumption pattern: an attacker-controlled input set drives an O(n) resource allocation with no quota or rate-limit boundary.
RemediationAI
Upgrade to AutoGPT 0.6.63 or later, which patches both blocks per the vendor advisory at https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-7g34-7fvq-xxq6 (Vendor-released patch: 0.6.63). If immediate upgrade is not possible, restrict who can author or run agent graphs by placing AutoGPT behind authentication and removing untrusted users' ability to use the ScreenshotWebPageBlock or StepThroughItemsBlock (trade-off: breaks any legitimate workflow that relies on iterated screenshots), enforce filesystem quotas or a dedicated tmpfs with a hard size cap on AutoGPT's working/temp directory so disk exhaustion is contained to the agent runtime rather than the host (trade-off: legitimate long screenshot jobs will fail mid-run), and add monitoring/alerting on disk usage so the condition is detected before the host OS becomes unresponsive.
DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScri
Denial of service in Significant-Gravitas AutoGPT prior to 0.6.63 allows remote attackers to exhaust host disk space by
Denial of service in AutoGPT versions prior to 0.6.63 allows remote unauthenticated attackers to exhaust disk space on t
Resource exhaustion denial-of-service in Significant Gravitas AutoGPT versions prior to 0.6.63 allows remote unauthentic
Server-side request forgery in the AutoGPT Platform (versions prior to 0.6.52) lets an authenticated user abuse the Send
Unauthenticated denial-of-service in AutoGPT Platform versions 0.4.2 through 0.6.51 allows remote attackers to exhaust s
Authenticated session hijacking in Significant Gravitas AutoGPT versions 0.6.36 through 0.6.50 allows any logged-in user
Disk exhaustion denial-of-service in Significant Gravitas AutoGPT prior to version 0.6.63 allows authenticated platform
{webhook_id}/ping` endpoint performs no ownership check - only verifying that a caller is authenticated, not that the ta
Memory amplification denial-of-service in AutoGPT's ExtractTextInformationBlock enables authenticated users to exhaust s
Memory exhaustion in AutoGPT's AITextSummarizerBlock allows authenticated users to trigger extreme resource amplificatio
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210281