CVE-2024-10901 Overview
A critical vulnerability exists in eosphoros-ai/db-gpt version v0.6.0 that allows unauthenticated attackers to execute arbitrary SQL queries through the web API endpoint POST /api/v1/editor/chart/run. This SQL Injection vulnerability lacks any access control mechanisms, enabling attackers to perform Arbitrary File Write operations on the victim's file system. The attack chain can escalate to Remote Code Execution (RCE) by writing malicious files such as __init__.py into Python's /site-packages/ directory.
Critical Impact
Unauthenticated attackers can achieve Remote Code Execution by exploiting arbitrary SQL execution to write malicious Python files to the system, potentially compromising the entire server infrastructure.
Affected Products
- DB-GPT version 0.6.0
- eosphoros-ai/db-gpt v0.6.0
- Systems running DB-GPT with exposed API endpoints
Discovery Timeline
- 2025-03-20 - CVE-2024-10901 published to NVD
- 2025-07-17 - Last updated in NVD database
Technical Details for CVE-2024-10901
Vulnerability Analysis
This vulnerability stems from a complete lack of authentication and authorization controls on the /api/v1/editor/chart/run API endpoint. The endpoint accepts and executes arbitrary SQL queries directly without validating user credentials or permissions. This design flaw allows any network-accessible attacker to interact with the underlying database with full privileges.
The exploitation chain involves leveraging SQL functionality (such as SELECT INTO OUTFILE in MySQL or COPY TO in PostgreSQL) to write arbitrary content to the file system. Attackers can weaponize this capability to inject malicious Python code into system directories where Python will automatically execute them, such as the __init__.py file in /site-packages/ directories.
The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), though the core issue is a combination of missing authentication (CWE-306) and SQL Injection leading to arbitrary file write.
Root Cause
The root cause is the absence of authentication and access control mechanisms on the chart editor API endpoint. The POST /api/v1/editor/chart/run endpoint was implemented without any security controls, allowing any HTTP client to submit SQL queries for execution. Additionally, the database connection appears to have sufficient privileges to write files to the file system, which compounds the severity of the issue.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability remotely by sending a crafted HTTP POST request to the vulnerable endpoint. The attack flow proceeds as follows:
- Attacker identifies a DB-GPT instance with the exposed API endpoint
- Attacker sends a POST request to /api/v1/editor/chart/run with malicious SQL
- The SQL query uses database-specific file write functions to create a malicious Python file
- The file is written to Python's /site-packages/ directory as __init__.py or similar
- Upon the next Python import or application restart, the malicious code executes
The attacker can craft SQL statements that leverage database-specific file write capabilities such as SELECT ... INTO OUTFILE for MySQL or COPY ... TO for PostgreSQL to place arbitrary content on the file system. By targeting Python's package directories, the attacker ensures code execution occurs when the application or system loads Python modules.
Detection Methods for CVE-2024-10901
Indicators of Compromise
- Unexpected HTTP POST requests to /api/v1/editor/chart/run from external or unauthorized sources
- SQL queries containing file write operations (INTO OUTFILE, COPY TO, INTO DUMPFILE)
- New or modified __init__.py files in Python's /site-packages/ directories
- Unexpected files appearing in web-accessible or system directories
- Database logs showing queries with file system paths or Python code patterns
Detection Strategies
- Monitor web server logs for POST requests to /api/v1/editor/chart/run endpoints, especially from unauthenticated sessions
- Implement database audit logging to capture all SQL queries containing file write keywords
- Deploy file integrity monitoring (FIM) on Python installation directories and critical system paths
- Use network intrusion detection signatures to identify SQL injection patterns in HTTP traffic
Monitoring Recommendations
- Enable detailed logging on the DB-GPT application and underlying database server
- Configure SIEM rules to alert on SQL queries containing OUTFILE, DUMPFILE, or COPY TO statements
- Monitor for changes to Python site-packages directories using endpoint detection tools
- Implement network segmentation to restrict access to DB-GPT API endpoints from untrusted networks
How to Mitigate CVE-2024-10901
Immediate Actions Required
- Restrict network access to DB-GPT instances by implementing firewall rules or network segmentation
- Disable or remove the /api/v1/editor/chart/run endpoint if not required for operations
- Implement authentication and authorization controls in front of the API using a reverse proxy or API gateway
- Revoke database file write privileges (FILE privilege in MySQL, or similar in other databases)
- Review file system for any unauthorized modifications in Python directories
Patch Information
As of the last NVD update on 2025-07-17, users should consult the Huntr Bug Bounty Report for the latest remediation guidance and check the official DB-GPT repository for updated versions that address this vulnerability. Upgrade to a patched version when available.
Workarounds
- Deploy an authentication layer (e.g., OAuth, API keys) in front of all DB-GPT API endpoints using a reverse proxy
- Restrict the database user's privileges to prevent file system write operations
- Implement network-level access controls to limit API access to trusted sources only
- Run DB-GPT in a containerized environment with read-only file systems where possible
- Consider disabling the chart editor functionality entirely until a patch is available
# Example: Restrict database FILE privilege in MySQL
# Connect to MySQL as root and revoke FILE privilege from the DB-GPT user
mysql -u root -p -e "REVOKE FILE ON *.* FROM 'dbgpt_user'@'%'; FLUSH PRIVILEGES;"
# Example: Use iptables to restrict access to DB-GPT API port (adjust port as needed)
iptables -A INPUT -p tcp --dport 5000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
