Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FastGPT has Unauthenticated SSRF in /api/core/app/mcpTools/runTool via missing CHECK_INTERNAL_IP default
Vulnerability Description
FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() only blocks private IPs when CHECK_INTERNAL_IP=true, which is not the default. This allows unauthenticated attackers to perform SSRF against internal network resources. This vulnerability is fixed in 4.14.10.3.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
FastGPT 代码问题漏洞
Vulnerability Description
FastGPT是labring开源的一款基于大语言模型的开源知识库问答系统。 FastGPT 4.14.10.3之前版本存在代码问题漏洞,该漏洞源于/api/core/app/mcpTools/runTool端点未经验证接受任意URL,可能导致服务端请求伪造攻击。
CVSS Information
N/A
Vulnerability Type
N/A