9.3

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-0868

GHSA ID

GHSA-9gff-5v8w-x922

EPSS Score

0.95923%

CWE

CWE-77

Published

2/20/2025

Updated

2/20/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-0868

CVE-2025-0868: DocsGPT Allows Remote Code Execution

A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an unauthorized attacker could send arbitrary Python code to be executed via /api/remote endpoint.

This issue affects DocsGPT: from 0.8.1 through 0.12.0.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-0868

CVE-2025-0868:

9.3

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-0868

GHSA ID

GHSA-9gff-5v8w-x922

EPSS Score

0.95923%

CWE

CWE-77

Published

2/20/2025

Updated

2/20/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
docsgpt	npm	>= 0.8.1, <= 0.12.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper use of eval() for JSON parsing in the /api/remote endpoint handler. While exact code isn't visible, the advisory explicitly mentions: 1) The attack vector is through /api/remote 2) eval() is used for JSON parsing 3) CWE-77 (Command Injection) classification matches eval() misuse pattern. In Flask applications, endpoint handlers are typically defined in main app files or routes modules. The high confidence comes from the direct correlation between the documented vulnerability characteristics and the common pattern of eval() misuse in web endpoint handlers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-0868: DocsGPT Allows Remote Code Execution

CVE-2025-0868:

9.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-0868: DocsGPT Allows Remote Code Execution

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

9.3

9.3

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI