CVE-2025-0868 — DocsGPT Allows Remote Code Execution

Description

A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an unauthorized attacker could send arbitrary Python code to be executed via /api/remote endpoint. This issue affects DocsGPT: from 0.8.1 through 0.12.0.

How to fix CVE-2025-0868

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

npm/docsgpt—no fix listed

Is CVE-2025-0868 being exploited?

Moderate — EPSS is 17.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 0.8.1, <= 0.12.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-0868
PATCHgithub.com/arc53/docsgpt
WEBcert.pl/en/posts/2025/02/CVE-2025-0868
WEBcert.pl/posts/2025/02/CVE-2025-0868
WEBgithub.com/arc53/DocsGPT