CVE-2025-0868
Published: 20 February 2025
Description
A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an unauthorized attacker could send arbitrary Python code to be executed via /api/remote endpoint.. This issue affects DocsGPT: from 0.8.1 through 0.12.0.
Security Summary
CVE-2025-0868 is a remote code execution (RCE) vulnerability in DocsGPT, an open-source application, affecting versions from 0.8.1 through 0.12.0. The flaw stems from improper parsing of JSON data using the eval() function, which allows arbitrary Python code to be executed. This issue, classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), was published on 2025-02-20.
An unauthorized remote attacker can exploit this vulnerability by sending malicious JSON payloads containing arbitrary Python code to the /api/remote endpoint. Successful exploitation results in remote code execution on the server hosting DocsGPT, potentially granting full control over the affected system.
Mitigation details are available in advisories from CERT.PL at https://cert.pl/en/posts/2025/02/CVE-2025-0868/ and https://cert.pl/posts/2025/02/CVE-2025-0868/, as well as the DocsGPT GitHub repository at https://github.com/arc53/DocsGPT. Security practitioners should review these resources for patching instructions and upgrade guidance.
Details
- CWE(s)