KnowledgeGPT Arbitrary Code Execution Vulnerability

A remote code execution vulnerability exists in mmzdev KnowledgeGPT version 0.0.5. The issue arises in the Document Display Component, which uses the st.markdown function with the unsafe_allow_html parameter enabled, allowing for the execution of arbitrary code. This vulnerability is compounded by inadequate validation of uploaded files, enabling attackers to upload files containing malicious code that is executed within the application's context.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where KnowledgeGPT is running.

Remediation

Users are advised to avoid using the unsafe_allow_html parameter in st.markdown whenever possible. If it must be used, implement proper HTML sanitization to remove potentially harmful scripts. KnowledgeGPT users should also be cautious, as the repository is archived and may not be actively maintained.