CVE-2024-10906
HIGHdb-gpt 0.6.0 - Cross-Site Request Forgery via Overly Permissive CORS Configuration
Title source: llmDescription
In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance of `CORSMiddleware` which sets the `Access-Control-Allow-Origin` to `*` for all requests. This configuration makes all endpoints exposed by the server vulnerable to Cross-Site Request Forgery (CSRF). An attacker can exploit this vulnerability to interact with any endpoints of the instance, even if the instance is not publicly exposed to the network.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/8864aca5-a342-4dab-b866-b2882ba6f160
Scores
CVSS v3
8.1
EPSS
0.0008
EPSS Percentile
23.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
Status
published
Products (2)
dbgpt/db-gpt
0.6.0
pypi/dbgpt
0PyPI
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026