CVE-2024-10831 Overview
A critical absolute path traversal vulnerability exists in eosphoros-ai/db-gpt version 0.6.0 that allows attackers to upload arbitrary files to arbitrary locations on the target server. The vulnerability is present in the file upload endpoint where user-controllable parameters file_key and doc_file.filename can be manipulated to construct paths outside the intended upload directory. This flaw enables attackers to overwrite essential system files, including SSH keys, potentially leading to complete system compromise.
Critical Impact
Remote attackers can upload malicious files to any location on the server without authentication, enabling system compromise through overwriting critical files such as SSH authorized_keys or system configuration files.
Affected Products
- DB-GPT version 0.6.0
- eosphoros-ai/db-gpt 0.6.0
Discovery Timeline
- 2025-03-20 - CVE-2024-10831 published to NVD
- 2025-07-17 - Last updated in NVD database
Technical Details for CVE-2024-10831
Vulnerability Analysis
This path traversal vulnerability (CWE-36: Absolute Path Traversal) stems from improper validation of user-supplied input in the file upload functionality of DB-GPT. The application fails to properly sanitize the file_key and doc_file.filename parameters before using them to construct the destination file path on the server.
An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity. The vulnerability allows for high-impact modifications to system integrity and availability, as arbitrary files can be written to any location accessible by the application's process.
Root Cause
The root cause is insufficient input validation on file path parameters. The application directly uses user-supplied values for file_key and doc_file.filename in constructing the file destination path without sanitizing path traversal sequences such as ../ or absolute paths. This allows attackers to escape the intended upload directory and write files to arbitrary locations on the file system.
Attack Vector
The attack is conducted remotely over the network against the file upload endpoint. An attacker crafts a malicious HTTP request with specially crafted file_key and doc_file.filename values containing path traversal sequences (e.g., ../../../etc/cron.d/malicious) or absolute paths. When the server processes this request, it writes the uploaded file content to the attacker-specified location, bypassing the intended upload directory restrictions.
Successful exploitation could allow attackers to:
- Overwrite SSH authorized_keys files for unauthorized access
- Plant malicious cron jobs for persistent access
- Overwrite application configuration files
- Deploy web shells in accessible directories
For detailed technical information, refer to the Huntr Bug Bounty Report.
Detection Methods for CVE-2024-10831
Indicators of Compromise
- Unexpected files appearing in system directories such as /root/.ssh/, /etc/cron.d/, or web server directories
- Modified SSH authorized_keys files with unauthorized public keys
- Unusual file creation timestamps in critical system directories
- Web server access logs showing file upload requests with path traversal patterns (../ sequences or absolute paths)
Detection Strategies
- Monitor web application logs for file upload requests containing path traversal patterns in parameters
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized file modifications
- Deploy web application firewall (WAF) rules to block requests containing path traversal sequences in file upload parameters
- Configure SentinelOne to alert on suspicious file creation in sensitive system directories
Monitoring Recommendations
- Enable enhanced logging on DB-GPT file upload endpoints to capture full request parameters
- Set up alerts for file creation events in directories outside the expected upload path
- Monitor for new SSH keys being added to authorized_keys files across the infrastructure
- Implement behavioral analysis to detect post-exploitation activities following successful file writes
How to Mitigate CVE-2024-10831
Immediate Actions Required
- Immediately restrict network access to DB-GPT file upload endpoints using firewall rules or network segmentation
- If DB-GPT 0.6.0 is deployed, consider taking the service offline until a patch is applied
- Audit system directories for unauthorized file modifications, particularly SSH keys and cron configurations
- Implement reverse proxy rules to filter requests containing path traversal patterns
Patch Information
At the time of publication, no official patch information has been released by the vendor. Organizations should monitor the DB-GPT project repository and security advisories for updates. Review the Huntr Bug Bounty Report for the latest status on remediation efforts.
Workarounds
- Deploy a web application firewall (WAF) with rules to block path traversal sequences in file upload parameters
- Implement network-level access controls to restrict access to the file upload endpoint to trusted sources only
- Run the DB-GPT application with minimal file system permissions using a dedicated low-privilege user account
- Consider containerizing the application with read-only file system mounts for critical directories
- Monitor and alert on any file writes outside the designated upload directory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
