Platform
nodejs
Component
gpt-researcher
Fixed in
3.4.1
3.4.2
3.4.3
3.4.4
A server-side request forgery (SSRF) vulnerability has been identified in the gpt-researcher Node.js component, affecting versions 3.4.0 through 3.4.3. This vulnerability allows attackers to manipulate the source_urls argument within the ws Endpoint, potentially leading to unauthorized access to internal resources. The vulnerability was publicly disclosed on 2026-04-06 and the project maintainers have not yet responded to the issue report.
The SSRF vulnerability in gpt-researcher allows an attacker to craft malicious requests that the server will execute on their behalf. This can be exploited to access internal services or resources that are not directly accessible from the outside world. For example, an attacker could potentially scan internal networks, access sensitive data stored on internal servers, or even trigger actions on other internal systems. The ability to launch the attack remotely significantly increases the potential blast radius. Successful exploitation could lead to data breaches, system compromise, and disruption of services.
This vulnerability is publicly disclosed and may be utilized. It is currently not listed on the CISA KEV catalog. The availability of a public disclosure increases the likelihood of exploitation, especially if a readily available proof-of-concept is developed. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting gpt-researcher.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
Due to the lack of a response from the project maintainers, immediate mitigation is crucial. The primary mitigation is to upgrade to a patched version of gpt-researcher as soon as one becomes available. Until a patch is released, consider implementing input validation on the source_urls parameter to restrict the URLs that can be accessed. A Web Application Firewall (WAF) can also be configured to block requests containing suspicious URLs or patterns. Carefully review and restrict network access for the gpt-researcher component to minimize potential damage from a successful SSRF attack.
Update to a patched version of gpt-researcher. The developer has not responded to the vulnerability report, so it is recommended to check for alternative versions or workarounds.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5633 is a server-side request forgery vulnerability in gpt-researcher versions 3.4.0–3.4.3, allowing attackers to manipulate URLs and potentially access internal resources.
If you are using gpt-researcher versions 3.4.0 through 3.4.3, you are potentially affected by this SSRF vulnerability. Check your dependencies immediately.
Upgrade to a patched version of gpt-researcher as soon as one is available. Until then, implement input validation and consider using a WAF to mitigate the risk.
The vulnerability is publicly disclosed, increasing the risk of exploitation. Monitor security advisories and threat intelligence for any signs of active campaigns.
As of the current date, there is no official advisory from the gpt-researcher project. Monitor the project's repository and communication channels for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.