GHSA-9gff-5v8w-x922

Suggest an improvement
Source
https://github.com/advisories/GHSA-9gff-5v8w-x922
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-9gff-5v8w-x922/GHSA-9gff-5v8w-x922.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-9gff-5v8w-x922
Aliases
Published
2025-02-20T12:31:15Z
Modified
2025-02-20T20:42:06.293941Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
DocsGPT Allows Remote Code Execution
Details

A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an unauthorized attacker could send arbitrary Python code to be executed via /api/remote endpoint.

This issue affects DocsGPT: from 0.8.1 through 0.12.0.

Database specific 
{
    "nvd_published_at": "2025-02-20T12:15:10Z",
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-20T20:18:36Z"
}
References

Affected packages

npm / docsgpt

Package

Name
docsgpt
View open source insights on deps.dev
Purl
pkg:npm/docsgpt

Affected ranges

Type
SEMVER
Events
Introduced
0.8.1
Last affected
0.12.0