Yupublished

**Name of the Vulnerable Software and Affected Versions** FastGPT versions prior to 4.14.17 **Description** An unauthenticated Server-Side Request Forgery (SSRF) allows attackers or authenticated users with App editing privileges to send arbitrary HTTP requests to internal or private network addresses. The `fetchData()` function in the lafModule workflow node uses axios to fetch user-controlled URLs without validating them against the `isInternalAddress` internal network blocklist guard, which bypasses SSRF protections. SSRF is a flaw where an attacker can force a server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. **Recommendations** Update to version 4.14.17.