CVE-2024-10906

CVE-2024-10906 is a Cross-Site Request Forgery (CSRF) vulnerability affecting version 0.6.0 of eosphoros-ai/db-gpt. The issue stems from the uvicorn application created by dbgpt_server, which employs an overly permissive CORSMiddleware configuration. This sets the Access-Control-Allow-Origin header to "*" for all requests, exposing all server endpoints to CSRF attacks. The vulnerability is classified under CWE-352 with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).

Attackers can exploit this vulnerability without privileges over the network with low complexity, but it requires user interaction, such as tricking a victim into visiting a malicious site. Even if the db-gpt instance is not publicly exposed, an attacker can force the victim's browser to interact with any endpoints on the server, potentially leading to high integrity and availability impacts, such as unauthorized actions or disruptions.

The primary advisory is available at https://huntr.com/bounties/8864aca5-a342-4dab-b866-b2882ba6f160, which details the vulnerability discovered through a bug bounty program. Practitioners should consult this reference for specific patch information or mitigation guidance, such as restricting CORS origins or upgrading to a fixed version if available. The CVE was published on 2025-03-20.