VYPR
High severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025

Cross-Site Request Forgery (CSRF) in eosphoros-ai/db-gpt

CVE-2024-10906

Description

In version 0.6.0 of eosphoros-ai/db-gpt, the uvicorn app created by dbgpt_server uses an overly permissive instance of CORSMiddleware which sets the Access-Control-Allow-Origin to * for all requests. This configuration makes all endpoints exposed by the server vulnerable to Cross-Site Request Forgery (CSRF). An attacker can exploit this vulnerability to interact with any endpoints of the instance, even if the instance is not publicly exposed to the network.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
dbgptPyPI
<= 0.6.0

Affected products

2
  • ghsa-coords
    Range: <= 0.6.0
  • eosphoros-ai/eosphoros-ai/db-gptv5
    Range: unspecified

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.