CVE-2024-10902 CRITICAL

CVE-2024-10902: Arbitrary File Upload with Path Traversal in eosphoros-ai/db-gpt

Vendor Eosphoros-Ai
Product eosphoros-ai/db-gpt
Weakness CWE-22 · Path traversal
Published March 20, 2025
Last update October 15, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /v1/personal/agent/upload` is vulnerable to Arbitrary File Upload with Path Traversal. This vulnerability allows unauthorized attackers to upload arbitrary files to the victim's file system at any location. The impact of this vulnerability includes the potential for remote code execution (RCE) by writing malicious files, such as a malicious `__init__.py` in the Python's `/site-packages/` directory.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
October 15, 2025 Record updated