anonhaven
Ad

CVE-2025-27600

MEDIUM CVSS 4.0: 6.9 EPSS 0.16%
Updated Dec 29, 2025
Fastgpt
Parameter Value
CVSS 6.9 (MEDIUM)
Affected Versions before 4.9.0
Fixed In 4.9.0
Type CWE-918 (Server-Side Request Forgery (SSRF))
Vendor Fastgpt
Public PoC No

FastGPT is a knowledge-based platform built on the LLMs. Since the web crawling plug-in does not perform intranet IP verification, an attacker can initiate an intranet IP request, causing the system to initiate a request through the intranet and potentially obtain some private data on the intranet. This issue is fixed in 4.9.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Fastgpt Fastgpt
cpe:2.3:a:fastgpt:fastgpt:*:*:*:*:*:*:*:*
 4.9.0

References 1

https://github.com/labring/FastGPT/security/advisories/GHSA-vc67-62v5-8cwx
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34163

Redis

7.7

CVE-2026-34162

Fastgpt

10.0

CVE-2026-33075

Labring

9.4

CVE-2026-32128

Fastgpt

6.3

CVE-2025-62612

Fastgpt

5.3