CVE-2025-0868: Remote Code Execution in DocsGPT

9.3 CVSS

Description

A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an unauthorized attacker could send arbitrary Python code to be executed via /api/remote endpoint.

This issue affects DocsGPT: from 0.8.1 through 0.12.0.

Classification

CVE ID: CVE-2025-0868

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor: Arc53

Product: DocsGPT

Nuclei Template

http/cves/2025/CVE-2025-0868.yaml

Exploit Prediction Scoring System (EPSS)

EPSS Score: 15.3% (probability of being exploited)

EPSS Percentile: 94.12% (scored less or equal to compared to others)

EPSS Date: 2025-03-21 (when was this score calculated)

References

https://cert.pl/en/posts/2025/02/CVE-2025-0868/
https://cert.pl/posts/2025/02/CVE-2025-0868/
https://github.com/arc53/DocsGPT

Timeline

2025-02-20 21:15:34 UTC
Github Advisory Database (NPM)

[docsgpt] DocsGPT Allows Remote Code Execution
2025-02-21 00:25:34 UTC
CVE

Remote Code Execution in DocsGPT