Arbitrary File Write Vulnerability in Eosphoros-ai/db-gpt API
CVE-2024-10901

9.8CRITICAL

Key Information:

Vendor

Eosphoros-ai

Status
Eosphoros-ai/db-gpt
Vendor
CVE Published:
20 March 2025

What is CVE-2024-10901?

In version v0.6.0 of the Eosphoros-ai/db-gpt product, a serious flaw exists within the web API endpoint POST /api/v1/editor/chart/run. This vulnerability allows unauthorized execution of arbitrary SQL queries due to a lack of access control measures. Attackers can exploit this weakness to write arbitrary files to the victim's file system. Such actions could lead to more severe outcomes, including Remote Code Execution (RCE), by allowing the injection of malicious files (e.g., __init__.py) into sensitive directories like Python's /site-packages/. This poses significant risk, emphasizing the need for prompt remediation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

eosphoros-ai/db-gpt <= unspecified

References

https://huntr.com/bounties/db2c1d59-6e3a-4553-a1f6-94c8df...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.