CVE-2024-10906
published 2025-03-20CVE-2024-10906: In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance of `CORSMiddleware` which sets the…
PriorityP340high8.1CVSS 3.1
AVNACLPRNUIRSUCNIHAH
EPSS
0.23%
13.4th percentile
In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance of `CORSMiddleware` which sets the `Access-Control-Allow-Origin` to `*` for all requests. This configuration makes all endpoints exposed by the server vulnerable to Cross-Site Request Forgery (CSRF). An attacker can exploit this vulnerability to interact with any endpoints of the instance, even if the instance is not publicly exposed to the network.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dbgpt | db-gpt | — | — |
| eosphoros-ai | eosphoros-ai_db-gpt | unspecified – latest | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
nvdv3.07.1HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
DB-GPT vulnerable to Cross-Site Request Forgery
osv·2025-03-20
CVE-2024-10906 [HIGH] DB-GPT vulnerable to Cross-Site Request Forgery
DB-GPT vulnerable to Cross-Site Request Forgery
In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance of `CORSMiddleware` which sets the `Access-Control-Allow-Origin` to `*` for all requests. This configuration makes all endpoints exposed by the server vulnerable to Cross-Site Request Forgery (CSRF). An attacker can exploit this vulnerability to interact with any endpoints of the instance, even if the instance is not publicly exposed to the network.
GHSA
DB-GPT vulnerable to Cross-Site Request Forgery
ghsa·2025-03-20
CVE-2024-10906 [HIGH] CWE-352 DB-GPT vulnerable to Cross-Site Request Forgery
DB-GPT vulnerable to Cross-Site Request Forgery
In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance of `CORSMiddleware` which sets the `Access-Control-Allow-Origin` to `*` for all requests. This configuration makes all endpoints exposed by the server vulnerable to Cross-Site Request Forgery (CSRF). An attacker can exploit this vulnerability to interact with any endpoints of the instance, even if the instance is not publicly exposed to the network.
No detection rules found.
No public exploits indexed.
Wiz
Cross-Site Request Forgery (CSRF): Examples & Prevention | Wiz
blogs_wiz·2025-12-29
Cross-Site Request Forgery (CSRF): Examples & Prevention | Wiz
## What is CSRF?
Cross-site request forgery (CSRF) is a cybersecurity attack where a malicious website or attacker tricks your browser into making unwanted requests to an authenticated website. By exploiting the trust between web applications and authenticated users, apps automatically accept HTTP requests (POST, GET, PUT, and DELETE) without knowing whether the requests are legitimate or malicious.
For example, imagine you log in to your bank account and then visit another website with a CSRF vulnerability. The compromised website can leverage your active session cookie to disguise itself as you and perform malicious actions, such as transferring money from your account, without further authentication.
## How CSRF works
CSRF exploits apps with flawed session management and weaknesses
Wiz
Cross-Site Request Forgery (CSRF): Examples & Prevention | Wiz
blogs_wiz·2025-12-29
Cross-Site Request Forgery (CSRF): Examples & Prevention | Wiz
## What is CSRF?
Cross-site request forgery (CSRF) is a cybersecurity attack where a malicious website or attacker tricks your browser into making unwanted requests to an authenticated website. By exploiting the trust between web applications and authenticated users, apps automatically accept HTTP requests (POST, GET, PUT, and DELETE) without knowing whether the requests are legitimate or malicious.
For example, imagine you log in to your bank account and then visit another website with a CSRF vulnerability. The compromised website can leverage your active session cookie to disguise itself as you and perform malicious actions, such as transferring money from your account, without further authentication.
## How CSRF works
CSRF exploits apps with flawed session management and weaknesses
2025-03-20
Published