CVE-2025-51459

Medium CVSS: 6.5

File Upload vulnerability in agent.hub.controller.refresh_plugins in eosphoros-ai DB-GPT 0.7.0 allows remote attackers to execute arbitrary code via a malicious plugin ZIP file uploaded to the /v1/personal/agent/upload endpoint, interacting with plugin_hub._sanitize_filename and plugins_util.scan_plugins.

Vendor

Dbgpt

Product

Db-gpt

CWE

CWE-77

Yayın Tarihi

2025-07-22 19:15:25

Güncelleme

2025-09-11 16:13:25

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-77 Db-gpt MEDIUM Dbgpt 2025

Referanslar

https://github.com/eosphoros-ai/DB-GPT/pull/2649 https://www.gecko.security/blog/cve-2025-51459

Benzer Kayıtlar

Medium

CVE-2025-51458

SQL Injection in editor_sql_run and query_ex in eosphoros-ai DB-GPT 0.7.0 allows remote attackers to execute arbitrary S…

Medium

CVE-2025-6772

A vulnerability was found in eosphoros-ai db-gpt up to 0.7.2. It has been classified as critical. Affected is the functi…

High

CVE-2025-0452

eosphoros-ai/DB-GPT version latest is vulnerable to arbitrary file deletion on Windows systems via the '/v1/agent/hub/up…

Critical

CVE-2024-10902

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /v1/personal/agent/upload` is vulnerable to Arbitrary File Uplo…

High

CVE-2024-10906

In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance…

High

CVE-2024-10829

A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of eosphoros-ai/db-gpt v0…