CVE-2024-10835: DB-GPT is vulnerable to SQL Injection attacks from unauthenticated users

March 20, 2025 (updated July 17, 2025)

In eosphoros-ai/db-gpt version v0.6.0, the web API POST /api/v1/editor/sql/run allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write using DuckDB SQL, enabling them to write arbitrary files to the victim’s file system. This can potentially lead to Remote Code Execution (RCE).

References

github.com/advisories/GHSA-qccg-9m4q-xfm6
github.com/eosphoros-ai/DB-GPT
github.com/eosphoros-ai/DB-GPT/pull/2650
github.com/eosphoros-ai/DB-GPT/releases/tag/v0.7.1
huntr.com/bounties/e32fda74-ca83-431c-8de8-08274ba686c9
nvd.nist.gov/vuln/detail/CVE-2024-10835

Code Behaviors & Features

Detect and mitigate CVE-2024-10835 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →