eosphoros-ai/db-gpt Cross-Site Request Forgery Vulnerability via Overly Permissive CORS Configuration

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in version 0.6.0 of eosphoros-ai/db-gpt. The issue arises because the 'uvicorn' application created by 'dbgpt_server' employs an overly permissive 'CORSMiddleware' instance, allowing all origins to access the server's endpoints. This configuration exposes all endpoints to potential CSRF attacks, enabling an attacker to interact with the server's functionality, regardless of the instance's network visibility.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, enabling attackers to perform actions on behalf of users without their consent.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

eosphoros-ai/db-gpt Cross-Site Request Forgery Vulnerability via Overly Permissive CORS Configuration

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating