SQL Injection in editor_sql_run and query_ex in eosphoros-ai DB-GPT 0.7.0 allows remote attackers to execute arbitrary SQL statements via crafted input passed to the /v1/editor/sql/run or /v1/editor/chart/run endpoints, interacting with api_editor_v1.editor_sql_run, editor_chart_run, and datasource.rdbms.base.query_ex.
References
Link | Resource |
---|---|
https://github.com/eosphoros-ai/DB-GPT/pull/2650 | Exploit Issue Tracking |
https://www.gecko.security/blog/cve-2025-51458 | Exploit Vendor Advisory |
Configurations
History
11 Sep 2025, 16:09
Type | Values Removed | Values Added |
---|---|---|
First Time |
Dbgpt
Dbgpt db-gpt |
|
References | () https://github.com/eosphoros-ai/DB-GPT/pull/2650 - Exploit, Issue Tracking | |
References | () https://www.gecko.security/blog/cve-2025-51458 - Exploit, Vendor Advisory | |
CPE | cpe:2.3:a:dbgpt:db-gpt:0.7.0:*:*:*:*:*:*:* |
25 Jul 2025, 15:29
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
22 Jul 2025, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-07-22 20:15
Updated : 2025-09-11 16:09
NVD link : CVE-2025-51458
Mitre link : CVE-2025-51458
CVE.ORG link : CVE-2025-51458
JSON object : View
Products Affected
dbgpt
- db-gpt
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')