Description
In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/chart/run` allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write, enabling them to write arbitrary files to the victim's file system. This can potentially lead to Remote Code Execution (RCE) by writing malicious files such as `__init__.py` in the Python's `/site-packages/` directory.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/db2c1d59-6e3a-4553-a1f6-94c8df162a18
Scores
CVSS v3
9.8
EPSS
0.0154
EPSS Percentile
81.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-434
Status
published
Products (2)
dbgpt/db-gpt
0.6.0
pypi/dbgpt
0PyPI
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026