Exploit for CVE-2025-0868

Penetration Testing Project Report: Exploiting CVE-2025-0868 (DocsGPT RCE via JSON Eval) 1. Introduction A critical Remote Code Execution (RCE) flaw (CVE-2025-0868) was disclosed on February 20, 2025, in the open-source DocsGPT library, caused by unsafe use of eval() when parsing JSON payloads. Key Details: – Affects DocsGPT versions 0.8.1 through 0.12.0 – CVSS 4.0 score of 9.3 (CRITICAL) – Allows unauthenticated, network-accessible code injection – Full impact on confidentiality, integrity, and availability About CVE-2025-0868 This vulnerability permits attackers to run arbitrary Python code via the /api/remote endpoint. DocsGPT is an open-source generative-AI tool that enables querying project documentation using GPT models. Project Objectives Analyze the vulnerability's technical background Reproduce in a controlled lab environment Demonstrate exploitation impact Propose mitigation strategies Present conclusions 2. Vulnerability Analysis 2.1 Vulnerability Overview | Category | Details | |——————-|————————————————————————-| | CVE ID | CVE-2025-0868 | | Affected Software | DocsGPT v0.8.1 – v0.12.0 | | Vulnerability Type| Remote Code Execution (RCE) | | Attack Vector | Network-based…Read More