CVE-2025-0868 CRITICAL

CVE-2025-0868: Remote Code Execution in DocsGPT

Vendor Arc53
Product DocsGPT
Weakness CWE-95 · Eval injection
Published February 20, 2025
Last update October 3, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an unauthorized attacker could send arbitrary Python code to be executed via /api/remote endpoint.. This issue affects DocsGPT: from 0.8.1 through 0.12.0.

Key dates

02Disclosure timeline

February 20, 2025 CVE published
October 3, 2025 Record updated