DocsGPT Remote Code Execution Vulnerability in MCP Tool

A remote code execution vulnerability has been identified in DocsGPT versions 0.15.0 prior to 0.16.0. This issue allows an attacker to bypass the 'MCP test' behavior by crafting a malicious payload that is executed on the server. The vulnerability is present in both the official DocsGPT website and any local or public deployments. When a user adds a new MCP server, the application only checks if the server URL is valid. However, attackers can manipulate other parameters, such as 'transport_type', to execute arbitrary commands on the server.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the affected server, giving attackers full control over the DocsGPT instance. This vulnerability affects the official DocsGPT cloud instance, any publicly available DocsGPT instance, and local instances that are on the same network as the attacker.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/mcp_server/test' endpoint with a 'server_url' pointing to a valid MCP server. Include a 'transport_type' set to 'stdio' and a 'command' with the desired command to execute. The server will execute the command, bypassing the normal MCP server validation.

Remediation

Users can update to DocsGPT version 0.16.0, where this vulnerability has been patched.