CVE-2025-0452
📋 TL;DR
DB-GPT versions on Windows systems are vulnerable to arbitrary file deletion through the '/v1/agent/hub/update' endpoint. Attackers can manipulate the 'plugin_repo_name' variable to delete any files on the host system due to improper filtering of backslash characters. This affects all Windows deployments of DB-GPT using the latest version.
💻 Affected Systems
- eosphoros-ai/DB-GPT
📦 What is this software?
Db Gpt by Dbgpt
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, leading to OS corruption, data loss, and potential ransomware deployment.
Likely Case
Selective deletion of application files, configuration files, or user data causing service disruption and data loss.
If Mitigated
Limited to application directory if proper file permissions and sandboxing are implemented.
🎯 Exploit Status
Requires knowledge of the API endpoint and ability to craft malicious requests with path traversal using backslashes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://huntr.com/bounties/7e854343-3d61-47d4-ad41-c4d2f356a54a
Restart Required: No
Instructions:
1. Check the vendor advisory for patched version. 2. Update DB-GPT to the latest patched version. 3. Validate that the '/v1/agent/hub/update' endpoint properly sanitizes input.
🔧 Temporary Workarounds
Input Validation Filter
WindowsAdd server-side validation to reject requests containing backslash characters in the plugin_repo_name parameter.
Implement input sanitization: if '\\' in plugin_repo_name: reject_request()
Endpoint Restriction
allRestrict access to the vulnerable endpoint using network controls or authentication requirements.
Configure firewall rules to limit access to /v1/agent/hub/update endpoint
🧯 If You Can't Patch
- Implement strict file system permissions to limit DB-GPT service account to only necessary directories
- Deploy web application firewall (WAF) rules to block requests containing path traversal patterns with backslashes
🔍 How to Verify
Check if Vulnerable:
Test if sending a request to /v1/agent/hub/update with plugin_repo_name containing '..\\' triggers file operations outside intended directory.Check Version:
Check DB-GPT version through application interface or configuration filesVerify Fix Applied:
Attempt the same test after patching - requests with backslashes should be rejected or properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in system logs
- API requests to /v1/agent/hub/update with suspicious parameters containing backslashes
Network Indicators:
- Multiple rapid requests to the vulnerable endpoint
- Requests with unusual path patterns in plugin_repo_name parameter
SIEM Query:
source="web_logs" AND uri_path="/v1/agent/hub/update" AND (plugin_repo_name="*..\\*" OR plugin_repo_name="*\\*\\*")