CVE-2025-0868: DocsGPT Allows Remote Code Execution

February 20, 2025 (updated October 31, 2025)

A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an unauthorized attacker could send arbitrary Python code to be executed via /api/remote endpoint.

This issue affects DocsGPT: from 0.8.1 through 0.12.0.

References

cert.pl/en/posts/2025/02/CVE-2025-0868
cert.pl/posts/2025/02/CVE-2025-0868
github.com/advisories/GHSA-9gff-5v8w-x922
github.com/arc53/DocsGPT
github.com/arc53/docsgpt
nvd.nist.gov/vuln/detail/CVE-2025-0868

Code Behaviors & Features

Detect and mitigate CVE-2025-0868 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →