Eosphoros AI DB-GPT Arbitrary File Upload Vulnerability with Path Traversal

Vulnerability

An arbitrary file upload vulnerability with path traversal has been identified in the Eosphoros AI DB-GPT web API, specifically in version 0.6.0. The issue arises in the `POST /v1/personal/agent/upload` endpoint, where unauthorized attackers can upload files to any location on the victim's file system. This vulnerability could lead to remote code execution by allowing the upload of malicious files, such as a harmful `__init__.py` file placed in Python's `/site-packages/` directory.

Impact

Exploitation of this vulnerability could result in unauthorized file uploads, with the potential for remote code execution if malicious files are uploaded and executed on the server.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Eosphoros AI DB-GPT Arbitrary File Upload Vulnerability with Path Traversal

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating