漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
FastGPT: Unauthenticated SSRF via httpTools Endpoint Leads to Internal API Key Theft
Vulnerability Description
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Vulnerability Type
关键功能的认证机制缺失
Vulnerability Title
FastGPT 代码问题漏洞
Vulnerability Description
FastGPT是labring开源的一款基于大语言模型的开源知识库问答系统。 FastGPT 4.14.9.5之前版本存在代码问题漏洞,该漏洞源于FastGPT HTTP工具测试端点/api/core/app/httpTools/runTool在没有任何身份验证的情况下暴露,该端点充当完整的HTTP代理,可能导致服务器端HTTP请求被滥用。
CVSS Information
N/A
Vulnerability Type
N/A