CVE-2025-52552

MEDIUM EPSS 14.1%
Published Jun 21, 20251y ago · Modified Jun 17, 20261w ago
5.5 CVSS 4.0
Medium
Find Similar
Published Jun 21, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable to open redirect and DOM-based XSS. Improper validation and lack of sanitization of this parameter allows attackers execute malicious JavaScript or redirect them to attacker-controlled sites. This issue has been patched in version 4.9.12.

CVSS Details

Base Score
5.5
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
14.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-601
CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
fastgptfastgpt* <4.9.12

References 2

  • github.com https://github.com/labring/FastGPT/commit/095b75ee27746004106eddeaa4840688a61ff6eb
    Patch
  • github.com https://github.com/labring/FastGPT/security/advisories/GHSA-r976-rfrv-q24m
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/labring/FastGPT/commit/095b75ee27746004106eddeaa4840688a61ff6eb
    Patch