CVE-2025-52552 PUBLISHED

FastGPT LastRoute Parameter on Login Page Vulnerable to Open Redirect and DOM-based XSS

Assigner: GitHub_M
Reserved: 18.06.2025 Published: 21.06.2025 Updated: 21.06.2025

FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable to open redirect and DOM-based XSS. Improper validation and lack of sanitization of this parameter allows attackers execute malicious JavaScript or redirect them to attacker-controlled sites. This issue has been patched in version 4.9.12.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
CVSS Score: 5.5

Product Status

Vendor labring
Product FastGPT
Versions
  • Version < 4.9.12 is affected

References

Problem Types

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE