Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN118

_____________________________________________________________________

DATE                : 24/02/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running DocsGPT versions 0.8.1 up to
                                   and including 0.12.0.

=====================================================================
https://cert.pl/en/posts/2025/02/CVE-2025-0868/
_____________________________________________________________________


Vulnerability in DocsGPT software


CVE ID                  CVE-2025-0868
Publication date        20 February 2025
Vendor                  Arc53
Product                 DocsGPT
Vulnerable versions     From 0.8.1 through 0.12.0
Vulnerability type (CWE)   Improper Neutralization of Special
          Elements used in a Command ('Command Injection') (CWE-77)
Report source           Report to CERT Polska


Description

CERT Polska has received a report about vulnerability in Arc53
DocsGPT software and participated in coordination of its disclosure.

The vulnerability CVE-2025-0868 that could result in Remote Code
Execution (RCE), has been found in DocsGPT. Due to improper parsing
of JSON data using eval() an unauthorized attacker could send
arbitrary Python code to be executed via /api/remote endpoint.

This issue affects DocsGPT: from 0.8.1 through 0.12.0.


Credits

We thank Eryk Winiarz for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT
Polska can be found at https://cert.pl/en/cvd/.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================