CVE-2025-52552 | THREATINT

Description

FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable to open redirect and DOM-based XSS. Improper validation and lack of sanitization of this parameter allows attackers execute malicious JavaScript or redirect them to attacker-controlled sites. This issue has been patched in version 4.9.12.

PUBLISHED Reserved 2025-06-18 | Published 2025-06-21 | Updated 2025-06-23 | Assigner GitHub_M

MEDIUM: 5.5CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Problem types

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 4.9.12

affected

References

github.com/...astGPT/security/advisories/GHSA-r976-rfrv-q24m

github.com/...ommit/095b75ee27746004106eddeaa4840688a61ff6eb

cve.org (CVE-2025-52552)

nvd.nist.gov (CVE-2025-52552)

Download JSON