FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5.
The endpoint accepts user-supplied parameters: baseUrl, toolPath, HTTP method, headers, and request body, then independently executes an HTTP request on the server side and returns the full response to the caller. The lack of authentication mechanism (CWE-306) combined with the proxy function means that an attacker can direct requests to any network resources accessible from the server level (CWE-918). This makes it possible to query internal network infrastructure, cloud services (e.g., instance metadata endpoints), or other resources not directly accessible from the Internet.
An attacker without any privileges can gain access to sensitive internal network resources, steal credentials from cloud metadata services, and compromise the integrity and confidentiality of internal systems accessible from the FastGPT server.
FastGPT should be updated to version 4.14.9.5, in which the vulnerability has been fixed. The patch is available in the project repository (commit bc7eae2ed61481a5e322208829be291faec58c00) and as an official release v4.14.9.5.
FastGPT (labring/FastGPT) in all versions before 4.14.9.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:LFastgpt
APPFastgpt< 4.14.9.5
Related vulnerabilities
NoSQL Injection w FastGPT umożliwia pominięcie uwierzytelnienia
FastGPT: RCE i eksfiltracja sekretów przez złośliwy Dockerfile w workflow CI/CD
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulne...
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) to...
FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) ...