CVE-2025-0452

Published Mar 20, 2025

Last updated 16 days ago

CVSS high 8.2

Overview

Description
eosphoros-ai/DB-GPT version latest is vulnerable to arbitrary file deletion on Windows systems via the '/v1/agent/hub/update' endpoint. The application fails to properly filter the '\' character, which is commonly used as a separator in Windows paths. This vulnerability allows attackers to delete any files on the host system by manipulating the 'plugin_repo_name' variable.
Source
security@huntr.dev
NVD status
Received

Risk scores

CVSS 3.0

Type
Secondary
Base score
8.2
Impact score
4.2
Exploitability score
3.9
Vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Severity
HIGH

Weaknesses

security@huntr.dev
CWE-73

Social media

Hype score
Not currently trending

  1. CVE-2025-0452 eosphoros-ai/DB-GPT version latest is vulnerable to arbitrary file deletion on Windows systems via the '/v1/agent/hub/update' endpoint. The application fails to properl… https://t.co/3TL9w32OwI

    @CVEnew

    22 Mar 2025

    250 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References