AutoGPT has a DoS vulnerability in FileStoreBlock with StepThroughItemsBlock
Description
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, StepThroughItemsBlock can iterate all the contents in a list and send them to FileStoreBlock for downloading one by one. Although FileStoreBlock has access time limits for downloading files, StepThroughItemsBlock can be used to slowly iterate and download relatively small files (e.g., 100M) multiple times. StepThroughItemsBlock does not limit the number of loops. In addition, FileStoreBlock does not limit the amount of disk space consumed in the current working directory. When a malicious user chooses to download too many videos, the disk space will eventually run out, causing a DoS. Version 0.6.63 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <0.6.63
Patches
Vulnerability mechanics
Root cause
"Missing loop limit in StepThroughItemsBlock and missing disk‑space quota in FileStoreBlock allow unbounded file downloads that exhaust disk space."
Attack vector
An attacker provides a list of URLs pointing to downloadable files (e.g., videos) as input to a workflow that chains `StepThroughItemsBlock` with `FileStoreBlock`. `StepThroughItemsBlock` iterates over every item in the list without any loop limit, and `FileStoreBlock` writes each downloaded file to the current working directory without checking disk space. By submitting a large number of URLs or repeatedly triggering the workflow, the attacker exhausts all available disk space, causing a denial of service. [ref_id=1]
Affected code
The vulnerability resides in `StepThroughItemsBlock` (no loop limit) and `FileStoreBlock` (no disk‑space limit). The advisory shows the `run` methods of both blocks — `StepThroughItemsBlock` iterates over all items without a cap, and `FileStoreBlock` writes each file to disk without checking available space. [ref_id=1]
What the fix does
Version 0.6.63 patches the issue. The advisory does not show the exact diff, but the fix presumably introduces a loop limit in `StepThroughItemsBlock` and/or a disk‑space quota in `FileStoreBlock`. Without these controls, an attacker could slowly download many small files to fill the disk, and even after agent cleanup a countdown timer could keep the agent alive for an arbitrarily long time, sustaining the DoS. [ref_id=1]
Preconditions
- inputThe attacker must be able to supply a list of URLs (or other items) to a workflow that uses StepThroughItemsBlock and FileStoreBlock.
- configThe workflow must be configured to chain StepThroughItemsBlock with FileStoreBlock so that each iterated item triggers a file download.
Reproduction
The advisory provides a PoC: a malicious user inputs a request to download two video URLs (e.g., `https://www.fudan.edu.cn/_upload/article/videos/2a/c3/78d833ac4831b3b77aae007eccb3/d53265e6-8b40-4703-8d95-f095f50c9c40-B.mp4` and another). The workflow downloads both files without any restrictions. The advisory notes that the same technique can be extended to many more URLs to exhaust disk space. [ref_id=1]
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-9fr4-9jj9-mhh6mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.