Impact
AutoGPT, a workflow automation platform, contains a DOM‑based XSS flaw in its signup page. The application passes the URL parameter `next` directly to router.push without validation, allowing an attacker to create a malicious link. When an authenticated user clicks the link, the browser executes arbitrary JavaScript in the user’s context, enabling credential theft, network pivoting, and unauthorized operations on behalf of the victim.
Affected Systems
The vulnerability affects the Significant‑Gravitas AutoGPT product, specifically all releases before 0.6.62. Users running earlier versions are at risk, while version 0.6.62 and later contain the fix.
Risk and Exploitability
The flaw carries a CVSS score of 8.8, categorising it as high severity. EPSS data are unavailable and the issue is not listed in the CISA KEV catalog. An attacker can exploit it by delivering a crafted URL to a logged‑in user, causing a client‑side redirect and script execution. Successful exploitation would allow the attacker to hijack the victim’s session and perform actions within the AutoGPT environment.
OpenCVE Enrichment