CVE-2024-1879

Source
https://cve.org/CVERecord?id=CVE-2024-1879
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-1879.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-1879
Published
2024-06-06T17:53:21.654Z
Modified
2026-07-15T01:48:52.988740533Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
CSRF to RCE in significant-gravitas/autogpt
Details

A Cross-Site Request Forgery (CSRF) vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a user running AutoGPT in their local network to a malicious website. This site can then send crafted requests to the AutoGPT server, leading to command execution. The issue is exacerbated by CORS being enabled for arbitrary origins by default, allowing the attacker to read the response of all cross-site queries. This vulnerability was addressed in version 5.1.

Database specific
{
    "cna_assigner": "@huntr_ai",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/1xxx/CVE-2024-1879.json",
    "cwe_ids": [
        "CWE-352"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "5.1"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/significant-gravitas/autogpt

Affected ranges

Type
GIT
Repo
https://github.com/significant-gravitas/autogpt
Events
Database specific
{
    "cpe": "cpe:2.3:a:agpt:autogpt_classic:0.5.0:*:*:*:*:*:*:*",
    "source": [
        "CPE_STRING",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0.5.0"
        },
        {
            "last_affected": "0.5.0"
        }
    ]
}

Affected versions

0.*
0.5.0
autogpt-v0.*
autogpt-v0.5.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-1879.json"