cbcvebase.
CVE-2025-0868
published 2025-02-20

CVE-2025-0868: A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an unauthorized…

PriorityP187critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
15.10%
96.3th percentile
A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an unauthorized attacker could send arbitrary Python code to be executed via /api/remote endpoint.. This issue affects DocsGPT: from 0.8.1 through 0.12.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
arc53docsgpt0.8.1 – 0.12.0
arc53docsgpt0.8.1 – 0.12.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/remote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DocsGPT Remote Code Execution Attempt (CVE-2025-0868)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:11; content:"/api/remote"; http.request_body; content:"user|3d|"; content:"source|3d|"; content:"name|3d|"; content:"data|3d 7b|"; content:"|22|source|22 3a 22|"; content:"|22|client_id|22 3a 22|"; content:"|22|client_secret|22 3a|"; content:"|22|user_agent|22 3a 22|"; content:"|22|search_queries|22 3a|"; content:"|22|number_posts|22 3a|"; content:"|22|rce|5c 5c 5c 5c 22 3a 5f 5f|import|5f 5f 28 27|"; fast_pattern; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-0868.yaml; reference:cve,2025-0868; classtype:attempted-admin; sid:2060779; rev:1; metadata:attack_target Server, tls_state plaintext, created_at 2025_03_11, cve CVE_2025_0868, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect POST requests to /api/remote with a URL-encoded body containing the 'rce' key followed by escaped quotes and __import__ — the canonical injection pattern for this CVE.
  • The Nuclei template matches on both an out-of-band DNS interaction (via interactsh) AND response body fields '"task_id":' and '"status":' to confirm successful exploitation.
  • FOFA fingerprint for identifying exposed DocsGPT instances: search for body containing 'Welcome to DocsGPT'.
  • The exploit payload smuggles Python code inside a JSON key name by injecting an escaped quote sequence ('rce\\\":') to break out of the JSON structure and inject into the eval() call.
  • The HTTP request body must include all of: user=, source=, name=, data={...} with client_id, client_secret, user_agent, search_queries, number_posts fields — all required by the vulnerable endpoint before eval() is reached.
  • ·The exploit targets a specific port (7091) in the PoC, but this is the author's local test configuration — the actual DocsGPT deployment port may vary.
  • ·The Snort rule (sid:2060779) is scoped to plaintext HTTP only (tls_state plaintext); TLS-wrapped deployments of DocsGPT will not be detected by this rule without SSL inspection.
  • ·The vulnerability affects versions 0.8.1 through 0.12.0 inclusive; version 0.12.1 and later are remediated.

CVSS provenance

nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.