Full Report
Command Injection vulnerability has been found in Arc53 DocsGPT software (CVE-2025-0868).
Analysis Summary
# Vulnerability: Command Injection Leading to RCE in Arc53 DocsGPT
## CVE Details
- CVE ID: CVE-2025-0868
- CVSS Score: Not explicitly provided in the text, but the impact suggests **High** severity.
- CWE: CWE-77 (Improper Neutralization of Special Elements used in a Command ('Command Injection'))
## Affected Systems
- Products: Arc53 DocsGPT
- Versions: From 0.8.1 through 0.12.0
- Configurations: Affects installations utilizing the `/api/remote` endpoint.
## Vulnerability Description
The vulnerability stems from improper parsing of JSON data using the `eval()` function within DocsGPT. This flaw allows an unauthorized remote attacker to inject and execute arbitrary Python code by sending malicious data through the vulnerable `/api/remote` endpoint. This results in Remote Code Execution (RCE).
## Exploitation
- Status: Unknown (Article confirms vulnerability discovery, not exploitation in the wild)
- Complexity: Likely **Low** given the endpoint access and direct RCE potential.
- Attack Vector: Network
## Impact
- Confidentiality: High (Arbitrary code execution allows access to system data)
- Integrity: High (Arbitrary code execution allows system modification)
- Availability: High (Arbitrary code execution can lead to system disruption)
## Remediation
### Patches
- Patches are not explicitly listed in the provided text. Users should consult the vendor (Arc53) advisories for the specific version containing the fix (expected to be **version 0.12.1 or newer**).
### Workarounds
- No specific workarounds are detailed in the provided text. Temporary mitigation would involve restricting access to the `/api/remote` endpoint if technically feasible, or disabling the component utilizing this endpoint.
## Detection
- Indicators of compromise: Look for unusual processes spawned by the DocsGPT application or unexpected network activity originating from the application server, specifically tied to requests hitting the `/api/remote` endpoint containing complex or unusual characters indicative of shell commands/Python payloads.
- Detection methods and tools: Application whitelisting, network monitoring focused on traffic to `/api/remote`, and runtime security monitoring tools.
## References
- Vendor advisory: Arc53 (Consult official vendor channels)
- Relevant links - defanged:
- https://incydent.cert.pl/#!/lang=en
- https://www.cve.org/CVERecord?id=CVE-2025-0868
- https://cert.pl/en/cvd/