CVE-2025-51458

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions DB-GPT version 0.7.0

Description A SQL injection issue exists in the editor sql run and query ex functions of DB-GPT. Remote attackers can execute arbitrary SQL statements by providing crafted input to the /v1/editor/sql/run or /v1/editor/chart/run API endpoints. The vulnerable functions involved are api editor v1.editor sql run, editor chart run, and datasource.rdbms.base.query ex.

Recommendations DB-GPT version 0.7.0: Restrict access to the /v1/editor/sql/run and /v1/editor/chart/run API endpoints. DB-GPT version 0.7.0: Avoid using crafted input with the editor sql run and query ex functions.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2025-51458

Affected Products

Db-Gpt

CVE-2025-51458

Weakness Enumeration

Related Identifiers

Affected Products

References · 5