CVE-2025-0452 Overview
CVE-2025-0452 is an arbitrary file deletion vulnerability in eosphoros-ai/DB-GPT affecting Windows deployments. The flaw resides in the /v1/agent/hub/update endpoint, which fails to sanitize the backslash (\) character used as a path separator on Windows. Attackers can manipulate the plugin_repo_name parameter to traverse directories and delete arbitrary files on the host system. The vulnerability is exploitable remotely without authentication or user interaction. It is tracked under CWE-73: External Control of File Name or Path.
Critical Impact
Unauthenticated remote attackers can delete arbitrary files on Windows hosts running DB-GPT, leading to integrity loss and denial of service of the application or underlying system.
Affected Products
- eosphoros-ai DB-GPT version 0.6.1
- DB-GPT latest build at time of disclosure
- Windows-based DB-GPT deployments
Discovery Timeline
- 2025-03-20 - CVE-2025-0452 published to NVD
- 2025-07-17 - Last updated in NVD database
Technical Details for CVE-2025-0452
Vulnerability Analysis
DB-GPT exposes the /v1/agent/hub/update HTTP endpoint to manage agent plugins. The handler accepts a plugin_repo_name value and uses it to construct a filesystem path that is subsequently passed to a file removal routine. The application sanitizes forward slash (/) characters but does not filter the backslash (\) character.
On Windows, the operating system treats \ as a valid path separator. An attacker can submit a plugin_repo_name value containing ..\ sequences to escape the intended plugin directory. The endpoint then resolves the attacker-controlled path and deletes the target file. Because the endpoint requires no authentication, exploitation is straightforward against any exposed instance.
Root Cause
The root cause is incomplete input sanitization in the path construction logic for plugin management. The validation routine treats / as the only path separator and overlooks Windows-specific separators. This is a classic [CWE-73] external control of file name or path defect, where untrusted input directly influences a filesystem operation without canonicalization or allowlisting.
Attack Vector
The attack is delivered over the network against the DB-GPT HTTP service. An attacker issues a crafted request to /v1/agent/hub/update with a plugin_repo_name value such as ..\..\..\Windows\System32\drivers\etc\hosts. The server resolves the path relative to the plugin directory and deletes the referenced file. Repeated requests can remove configuration files, application binaries, or operating system components, producing denial of service or breaking integrity guarantees. No credentials, tokens, or user interaction are required.
Detection Methods for CVE-2025-0452
Indicators of Compromise
- HTTP requests to /v1/agent/hub/update containing backslash characters or ..\ sequences in the plugin_repo_name parameter.
- Unexpected file deletion events in the DB-GPT install directory or parent directories on Windows hosts.
- Application errors or crashes following missing configuration, plugin, or binary files.
- Web server access logs showing repeated POST or PUT calls to the agent hub update endpoint from a single source.
Detection Strategies
- Inspect application and reverse proxy logs for plugin_repo_name values containing \, %5C, or directory traversal patterns.
- Enable Windows file system auditing on the DB-GPT installation path and adjacent directories to capture unauthorized deletions.
- Correlate HTTP requests to /v1/agent/hub/update with subsequent file deletion telemetry from the host.
Monitoring Recommendations
- Forward DB-GPT and web server logs to a central SIEM and alert on requests targeting /v1/agent/hub/update from untrusted networks.
- Monitor Windows Security Event ID 4660 (object deleted) and 4663 (object access) for files outside the plugin directory.
- Track outbound HTTP 5xx response rates from the DB-GPT service as a proxy for files being removed mid-operation.
How to Mitigate CVE-2025-0452
Immediate Actions Required
- Restrict network access to DB-GPT instances using firewalls, reverse proxies, or VPN-only exposure until a patched release is deployed.
- Audit recent requests to /v1/agent/hub/update and inspect the DB-GPT host for missing or unexpectedly deleted files.
- Run DB-GPT under a least-privileged service account that cannot delete system files or other application data.
Patch Information
At the time of NVD publication, no vendor-issued patch is referenced in the advisory. Refer to the Huntr Bounty Report for upstream remediation status. Operators should track the eosphoros-ai/DB-GPT repository for releases that filter \ characters and canonicalize the plugin_repo_name value.
Workarounds
- Deploy a reverse proxy or web application firewall rule that blocks requests to /v1/agent/hub/update containing \, %5C, or .. sequences.
- Require authentication and authorization in front of DB-GPT administrative endpoints using an upstream identity-aware proxy.
- Where possible, run DB-GPT on Linux hosts, which are not affected by the Windows backslash separator handling described in this advisory.
- Apply Windows NTFS permissions that prevent the DB-GPT service account from deleting files outside its working directory.
# Example NGINX reverse proxy rule blocking traversal payloads to the vulnerable endpoint
location /v1/agent/hub/update {
if ($args ~* "(\\|%5C|\.\.)") {
return 403;
}
if ($request_body ~* "(\\|%5C|\.\.)") {
return 403;
}
proxy_pass http://dbgpt_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
