YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
DB-GPT v0.8.0 β Unauthenticated flow-import ZIP RCE β huntr PoC
Private/gated proof-of-concept accompanying a huntr vulnerability report. Access is granted only to the huntr triage bot.
Target: eosphoros-ai/DB-GPT @ v0.8.0 (commit a3f21350, latest release).
An unauthenticated POST /api/v1/serve/awel/flow/import accepts a flow ZIP whose package
<name>/__init__.py is executed on import by the dbgpts loader β via loader.exec_module
(python branch) or importlib.resources.path(name, "__init__.py") inside the pre_fill model
validator (json branch). The uploaded __init__.py runs regardless of definition_type, so
shipping the legitimate export shape with a non-empty __init__.py yields remote code execution on
the host β deterministic, no LLM.
Contents
README.mdβ this file.REPORT.md/POC.mdβ the vulnerability report and walkthrough (added separately).poc/fire_006.pyβ self-contained deterministic PoC. It imports the real released wheeldbgpt==0.8.0and drives the actual loader sink on a forged ZIP. PREREQUISITE β install the wheel BEFORE going network-isolated (--netblocks pip):pip install "dbgpt==0.8.0" unshare --user --map-root-user --net python3 poc/fire_006.pypoc/PROVENANCE.txtβ expected sha256 of the two loader files shipped in the wheel (dbgpt/util/dbgpts/loader.py,dbgpt/core/awel/dag/loader.py); byte-identical to the cloned taga3f21350. The PoC locates them viaimportlib.util.find_specand verifies these hashes at runtime before driving the sink.poc/sandbox_006.logβ a recorded run: CASE1 (json+payload β RCE) + CASE3 (python+payload β RCE) + CASE2/CASE4 negative controls (empty__init__/ loader-not-driven β no exec) all PASS.
Harmless marker only (a file write executed by the uploaded __init__.py); no network egress; the target
repository is never built or installed β only the released PyPI wheel is pip install-ed.