Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Exploitation requires authoring/running a workflow on the AutoGPT instance, so PR:L rather than PR:N; impact is availability-only (disk exhaustion), so C:N/I:N/A:H.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, MediaDurationBlock will download and store the video in a temporary directory without deleting before all noded are done. StepThroughItemsBlock can be used to iterate MediaDurationBlock multiple times. StepThroughItemsBlock does not limit the number of loops. In addition, MediaDurationBlock does not limit the amount of disk space consumed in the current working directory and does not delete the video after outputing the result. When a malicious user chooses to screen shot many web pages, the disk space will eventually run out, causing a DoS. Version 0.6.63 patches the issue.
AnalysisAI
Denial of service in Significant-Gravitas AutoGPT prior to 0.6.63 allows remote attackers to exhaust host disk space by chaining the unbounded StepThroughItemsBlock loop with MediaDurationBlock, which downloads videos to a temporary directory and never cleans them up. No public exploit identified at time of analysis, but the flaw is trivially triggerable through the normal agent-building UI in any AutoGPT instance reachable by an untrusted user.
Technical ContextAI
AutoGPT is an agent-orchestration platform whose workflows are composed of reusable 'blocks.' The MediaDurationBlock fetches remote media (e.g., screenshots, videos) into the working directory to read its duration but lacks any cleanup-on-exit or per-invocation size cap, while StepThroughItemsBlock provides an iterator with no upper bound on iteration count. Combined, they form a classic CWE-400 Uncontrolled Resource Consumption primitive: each loop iteration writes new media to disk and never frees it. The affected CPE is cpe:2.3:a:significant-gravitas:autogpt:*:*:*:*:*:*:*:* for all versions below 0.6.63.
RemediationAI
Vendor-released patch: upgrade to AutoGPT 0.6.63 or later, which fixes both the missing cleanup in MediaDurationBlock and the unbounded iteration in StepThroughItemsBlock; see https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-rg6v-m9x9-7wf9. If immediate upgrade is not possible, compensating controls include disabling or removing MediaDurationBlock and StepThroughItemsBlock from the available block registry (trade-off: any legitimate workflow using them will break), restricting workflow authoring to trusted/authenticated users via reverse-proxy authentication, running AutoGPT inside a container or VM with a strict tmpfs/disk quota on the working directory so resource exhaustion is contained, and monitoring disk usage with alerting to detect runaway workflows.
DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScri
Denial of service in AutoGPT prior to 0.6.63 allows remote unauthenticated users to exhaust host disk space by chaining
Denial of service in AutoGPT versions prior to 0.6.63 allows remote unauthenticated attackers to exhaust disk space on t
Resource exhaustion denial-of-service in Significant Gravitas AutoGPT versions prior to 0.6.63 allows remote unauthentic
Server-side request forgery in the AutoGPT Platform (versions prior to 0.6.52) lets an authenticated user abuse the Send
Unauthenticated denial-of-service in AutoGPT Platform versions 0.4.2 through 0.6.51 allows remote attackers to exhaust s
Authenticated session hijacking in Significant Gravitas AutoGPT versions 0.6.36 through 0.6.50 allows any logged-in user
Disk exhaustion denial-of-service in Significant Gravitas AutoGPT prior to version 0.6.63 allows authenticated platform
{webhook_id}/ping` endpoint performs no ownership check - only verifying that a caller is authenticated, not that the ta
Memory amplification denial-of-service in AutoGPT's ExtractTextInformationBlock enables authenticated users to exhaust s
Memory exhaustion in AutoGPT's AITextSummarizerBlock allows authenticated users to trigger extreme resource amplificatio
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210283