Cyber Posture

CVE-2025-0868

N/A

Published: 20 February 2025

Published
20 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score N/A
EPSS Score 0.1590 94.8th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0868 is a uncategorised-severity Eval Injection (CWE-95) vulnerability in Cert (inferred from references). Its CVSS base score is N/A.

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of JSON inputs to the /api/remote endpoint to ensure they are within expected format, preventing arbitrary Python code execution via eval().

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and correction of the specific flaw in DocsGPT versions 0.8.1 through 0.12.0 that enables RCE through improper JSON parsing.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on the DocsGPT process to limit the scope and impact of potential RCE exploitation even if arbitrary code executes.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Direct RCE via unauthenticated remote exploitation of a public-facing web app using Python eval injection.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an unauthorized attacker could send arbitrary Python code to be executed via /api/remote endpoint.. This issue…

more

affects DocsGPT: from 0.8.1 through 0.12.0.

Deeper analysisAI

CVE-2025-0868 is a remote code execution (RCE) vulnerability in DocsGPT, an open-source application, affecting versions from 0.8.1 through 0.12.0. The flaw stems from improper parsing of JSON data using the eval() function, which allows arbitrary Python code to be executed. This issue, classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), was published on 2025-02-20.

An unauthorized remote attacker can exploit this vulnerability by sending malicious JSON payloads containing arbitrary Python code to the /api/remote endpoint. Successful exploitation results in remote code execution on the server hosting DocsGPT, potentially granting full control over the affected system.

Mitigation details are available in advisories from CERT.PL at https://cert.pl/en/posts/2025/02/CVE-2025-0868/ and https://cert.pl/posts/2025/02/CVE-2025-0868/, as well as the DocsGPT GitHub repository at https://github.com/arc53/DocsGPT. Security practitioners should review these resources for patching instructions and upgrade guidance.

Details

CWE(s)
CWE-95

Affected Products

Cert
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-35002Shared CWE-95
CVE-2026-28370Shared CWE-95
CVE-2025-68271Shared CWE-95
CVE-2026-4001Shared CWE-95
CVE-2026-5971Shared CWE-95
CVE-2025-54322Shared CWE-95
CVE-2026-29091Shared CWE-95
CVE-2026-28505Shared CWE-95
CVE-2026-1470Shared CWE-95
CVE-2026-33618Shared CWE-95

References