CVE-2025-65720 Overview
CVE-2025-65720 is a remote code execution vulnerability in Open Source GPT Researcher version 3.3.7. Attackers can execute arbitrary commands on a victim system when a user interacts with a crafted HTML page. The flaw affects deployments of the gpt-researcher project maintained on GitHub, which is widely used to automate AI-driven research workflows. Because GPT Researcher orchestrates agents that fetch and render remote content, adversary-controlled HTML can be delivered through the normal research pipeline. Successful exploitation gives the attacker command execution in the context of the running researcher process.
Critical Impact
A crafted HTML page can trigger arbitrary command execution on any host running GPT Researcher v3.3.7, enabling full compromise of the AI agent environment.
Affected Products
- Open Source GPT Researcher v3.3.7
- Deployments consuming the assafelovic/gpt-researcher package or container image at the affected version
- Downstream AI research pipelines and Model Context Protocol (MCP) integrations built on GPT Researcher v3.3.7
Discovery Timeline
- 2026-07-15 - CVE-2025-65720 published to NVD
- 2026-07-16 - Last updated in NVD database
Technical Details for CVE-2025-65720
Vulnerability Analysis
GPT Researcher is an autonomous agent that generates research reports by browsing external sources and processing the retrieved content. The vulnerability allows an attacker to execute arbitrary commands when the agent, or a user acting through the agent, interacts with a maliciously crafted HTML page. The attack requires user interaction, meaning the researcher workflow must be pointed at, or induced to fetch, attacker-controlled content. Because the tool routinely ingests third-party web pages, satisfying that condition is trivial in realistic deployments. Once exploited, the attacker obtains command execution in the same process context as the agent, which typically holds API keys, cloud credentials, and access to internal knowledge sources.
Root Cause
The root cause resides in how GPT Researcher processes HTML content returned during automated browsing and rendering. Untrusted markup and embedded resources are handled in a way that permits attacker-supplied payloads to reach a code execution sink. Details of the specific sink are described in the OX Security research write-up referenced below.
Attack Vector
An attacker publishes a crafted HTML page and lures the GPT Researcher agent to visit it, for example by seeding search queries, poisoning indexed sources, or supplying the URL directly through an MCP integration. When the agent fetches and processes the page, the embedded payload executes commands on the host. See the OX Security Blog on RCE and the related OX Security Supply Chain Advisory for technical details. No verified public exploit code is available at this time.
Detection Methods for CVE-2025-65720
Indicators of Compromise
- Unexpected child processes spawned by the Python interpreter or Node runtime hosting the gpt-researcher service
- Outbound network connections from the researcher host to previously unseen domains immediately after HTML retrieval events
- New files written to the researcher working directory or /tmp shortly after a research task involving external URLs
Detection Strategies
- Monitor process lineage for gpt-researcher workers and alert on execution of shells, curl, wget, bash, sh, or powershell descendants
- Correlate agent HTTP fetch logs with subsequent process creation events on the same host within a short time window
- Inspect research task logs for HTML sources that produced anomalous execution telemetry or credential access
Monitoring Recommendations
- Enable command-line auditing on all hosts running GPT Researcher and forward events to a central analytics platform
- Track egress traffic from AI agent hosts and baseline expected destinations to surface command-and-control activity
- Alert on access to secrets, tokens, and cloud metadata endpoints from the researcher process
How to Mitigate CVE-2025-65720
Immediate Actions Required
- Upgrade GPT Researcher to a version later than 3.3.7 once the maintainers publish a fix on the GitHub Project Repository
- Restrict the URLs and sources the agent is permitted to fetch, and disable arbitrary user-supplied URL ingestion
- Rotate any API keys, cloud credentials, and tokens accessible to the researcher process if exposure is suspected
Patch Information
Refer to the upstream assafelovic/gpt-researcher repository for the fixed release and commit information. At the time of publication, no fixed version is listed in the NVD entry. Track the vendor advisory references linked from the CVE record for the authoritative patched version.
Workarounds
- Run GPT Researcher inside a hardened sandbox or container with read-only filesystem, no outbound shell utilities, and no host credentials mounted
- Apply strict egress filtering so the agent can only reach approved research sources
- Disable or remove MCP integrations that expose the researcher to untrusted callers until a patched version is deployed
# Configuration example: run gpt-researcher in a restricted container
docker run --rm \
--read-only \
--cap-drop=ALL \
--security-opt=no-new-privileges \
--network=researcher-egress-only \
--user 10001:10001 \
--tmpfs /tmp:rw,noexec,nosuid,size=64m \
-e OPENAI_API_KEY=$SCOPED_KEY \
gpt-researcher:patched
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

