CVE-2025-51459

Name of the Vulnerable Software and Affected Versions DB-GPT version 0.7.0

Description A file upload issue exists in the agent.hub.controller.refresh plugins component of DB-GPT. This allows remote attackers to execute arbitrary code by uploading a malicious plugin ZIP file to the /v1/personal/agent/upload API endpoint. The vulnerability involves interaction with the plugin hub. sanitize filename and plugins util.scan plugins functions.

Recommendations DB-GPT version 0.7.0: As a temporary workaround, consider restricting access to the /v1/personal/agent/upload API endpoint until a patch is available.