Skip to content

Cross-user sharing of node execution results through WebSockets API

Low
ntindle published GHSA-958f-37vw-jx8f Apr 11, 2025

Package

autogpt-platform-backend

Affected versions

< 0.6.1

Patched versions

0.6.1

Description

Impact

The AutoGPT Platform's WebSocket API transmitted node execution updates to subscribers based on the graph_id+graph_version. Additionally, there was no check prohibiting users from subscribing with another user's graph_id+graph_version.

As a result, node execution updates from one user's graph execution could be received by another user within the same instance in either of two scenarios:

  • Through the Marketplace, multiple users have access to the same graph. If their clients are active and subscribed to an execution simultaneously, they could have received node execution updates from each other.
  • A malicious actor acquires a graph_id and graph_version belonging to another user (their target) and subscribes to the target user's graph executions directly through the WS API.

This vulnerability does not occur between different instances or between users and non-users of the platform. Single-user instances are not affected. In private instances with a user white-list, the impact is limited by the fact that all potential unintended recipients of these node execution updates must have been admitted by the administrator.

Patches

The problem was patched - and the patch rolled out to production - the day of discovery:
fix(backend/ws): Add user_id to websocket event subscription key - #9660

The patch was also included in the subsequent release of the platform:
AutoGPT Platform v0.6.1

We discovered this vulnerability ourselves, and have no indication whether anyone else found or experienced this vulnerability up until we found it.

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CVE ID

CVE-2025-31494

Weaknesses

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Learn more on MITRE.

Credits