CVE-2026-42345

Name of the Vulnerable Software and Affected Versions FastGPT versions prior to 4.14.11

Description The isInternalAddress() function in packages/service/common/system/utils.ts fails to properly block cloud metadata endpoints. The function uses a fullUrl.startsWith() check against a hardcoded list that can be bypassed using various URL encoding techniques. Furthermore, the private IP checks (isInternalIPv4 and isInternalIPv6) are disabled by default because the CHECK INTERNAL IP variable defaults to false, allowing bypassed requests to reach metadata endpoints without additional validation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.