FastGPT, an AI agent building platform, contains a server‑side request forgery flaw in versions 4.14.11 and earlier, allowing attackers to reach protected cloud metadata endpoints. The flaw resides in the isInternalAddress() routine, which filters URLs with a simple fullUrl.startsWith() test against a hard‑coded list; this check can be bypassed with at least seven different URL‑encoding techniques that resolve to the metadata service yet do not match the blocklist. Additionally, the private‑IP validation routine is disabled by default because CHECK_INTERNAL_IP defaults to false, permitting the bypassed requests to reach the metadata endpoint without further verification. Adversaries who can inject a URL into FastGPT that is subsequently fetched internally can read sensitive data such as instance identity, credentials, and other privileged information, thereby compromising confidentiality and integrity.

The vulnerability impacts the labring FastGPT platform, specifically all releases 4.14.11 and earlier. No other products or vendors are known to be affected.

The CVSS score of 7.7 indicates a high severity level. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through an application endpoint that accepts user‑supplied URLs or data that FastGPT uses to issue internal HTTP requests. Successful exploitation would grant an attacker read access to the cloud metadata endpoint, exposing sensitive instance, network, and authentication information. As the bypass requires only the presence of the internal fetch mechanism and the default configuration that leaves internal IP checking disabled, the exploitation likelihood is high for publicly exposed FastGPT deployments that have not applied a patch or mitigated the SSRF check.