YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
DB-GPT v0.8.0 β Unauthenticated arbitrary local file read via RAG document loader β huntr PoC
Private/gated proof-of-concept accompanying a huntr vulnerability report. Access is granted only to the huntr triage bot.
Target: eosphoros-ai/DB-GPT @ v0.8.0 (commit a3f21350, latest release).
An unauthenticated POST /knowledge/{space}/document/add with doc_type="DOCUMENT", content="/abs/path.txt"
and no doc_file persists the attacker-controlled path verbatim; at sync the file-storage download is
skipped (the path does not start with the internal dbgpt-fs schema) and the raw path is handed to
KnowledgeFactory.create(...), whose loader does open(self._path, "rb") β an unauthenticated arbitrary
local file read of any file the server process can read whose extension is a supported document type
(txt/csv/md/html/pdf/docx/pptx/doc/xlsx). Deterministic, no LLM.
Severity (honest): Medium
Arbitrary read is capped by extension: the dispatcher (factory.py:145 _select_document_knowledge)
rejects any path whose extension is not a supported DocumentType. Files such as .env, .toml,
/etc/passwd, id_rsa are NOT readable β the PoC proves this as a negative control. The unit read fires
at sync; restitution of the bytes via chunk/list depends on an operational embeddings/vector store.
Contents
REPORT.mdβ the full vulnerability report.POC.mdβ the proof-of-concept walkthrough.poc/fire_011.pyβ self-contained deterministic PoC. Run network-isolated:
(requires onlyunshare --user --map-root-user --net python3 poc/fire_011.pychardet, used by the genuineTXTKnowledge._load;pip install chardetbefore--net).poc/vendor/*.pyβ the 11 real v0.8.0 source files the PoC executes (dispatch + loaders).factory.py,txt.pyand the 8 sibling loaders are byte-identical to the released PyPI wheeldbgpt-ext==0.8.0;base.pyis byte-identical to the audited clone @ tagv0.8.0β sha256 inpoc/PROVENANCE.txt, re-checked at runtime.poc/sandbox_011.logβ a recorded run (all PASS, incl. the two negative controls).
Harmless marker only (a /tmp witness file the harness writes and reads); no network egress; /etc/passwd
and credential paths are only used as negative controls (rejected before any read); the target repository is
never built or installed.