Skip to content

Leakage of cross-domain cookies and protected headers in requests redirect

High
ntindle published GHSA-ggcm-93qg-gfhp Apr 11, 2025

Package

AutoGPT

Affected versions

<=0.6.0

Patched versions

>=autogpt-platform-beta-v0.6.1

Description

Description

AutoGPT uses a wrapper around the requests python library, located in autogpt_platform/backend/backend/util/request.py. In this wrapper, redirects are specifically NOT followed for the first request, as specified here. If the wrapper is used with allow_redirects set to True (which is the default), any redirect is not followed by the initial request, but rather re-requested by the wrapper using the new location, here. The code is shown below:

        # Perform the request with redirects disabled for manual handling
        response = req.request(
            method,
            url,
            headers=headers,
            allow_redirects=False,
            *args,
            **kwargs,
        )
        if self.raise_for_status:
            response.raise_for_status()

        # If allowed and a redirect is received, follow the redirect
        if allow_redirects and response.is_redirect:
            if max_redirects <= 0:
                raise Exception("Too many redirects.")

            location = response.headers.get("Location")
            if not location:
                return response

            new_url = validate_url(urljoin(url, location), self.trusted_origins)
            if self.extra_url_validator is not None:
                new_url = self.extra_url_validator(new_url)

            return self.request(
                method,
                new_url,
                headers=headers,
                allow_redirects=allow_redirects,
                max_redirects=max_redirects - 1,
                *args,
                **kwargs,
            )

However, there is a fundamental flaw in manually re-requesting the new location: it does not account for security-sensitive headers which should not be sent cross-origin, such as the Authorization and Proxy-Authorization header, and cookies.

For example in autogpt_platform/backend/backend/blocks/github/_api.py, an Authorization header is set when retrieving data from the GitHub API. However, if GitHub suffers from an open redirect vulnerability (such as the made-up example of https://api.github.com/repos/{owner}/{repo}/issues/comments/{comment_id}/../../../../../redirect/?url=https://joshua.hu/), and the script can be coerced into visiting it with the Authorization header, the GitHub credentials in the Authorization header will be leaked to https://joshua.hu/.

The standard requests library does not suffer from this vulnerability. If a redirect occurs (and is followed), headers are not sent cross-origin (different domain, protocol, or port). That can be seen here and here. Those headers are the Proxy-Authorization and Authorization headers. Cookies are also not blindly re-transmitted, as they follow the standard cookiejar format.

Proof of Concept

No matter how the request() wrapper function is used, whether it be the aforementioned GitHub code in AutoGPT, or when request() is used by the actual AI, any redirect cross-origin will leak any private information which has been set in the headers or cookies. This could mean that users' secrets are leaked, or the server's secrets.

Impact

Leak auth headers, leak private cookies.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVE ID

CVE-2025-31491

Weaknesses

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Learn more on MITRE.

Credits