VYPR
Critical severity9.1NVD Advisory· Published Mar 20, 2025· Updated Jun 17, 2026

CVE-2024-10834

CVE-2024-10834

Description

eosphoros-ai/db-gpt version 0.6.0 contains a vulnerability in the RAG-knowledge endpoint that allows for arbitrary file write. The issue arises from the ability to pass an absolute path to a call to os.path.join, enabling an attacker to write files to arbitrary locations on the target server. This vulnerability can be exploited by setting the doc_file.filename to an absolute path, which can lead to overwriting system files or creating new SSH-key entries.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Range: =0.6.0
  • eosphoros-ai/eosphoros-ai/db-gptv5
    Range: unspecified

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.