CVE-2024-10902: 
Python vulnerability analysis and mitigation

In eosphoros-ai/db-gpt version v0.6.0, a critical vulnerability was identified in the web API POST /v1/personal/agent/upload endpoint. The vulnerability (CVE-2024-10902) was discovered and disclosed on March 20, 2025, affecting the file upload functionality of the DB-GPT system (NVD).

The vulnerability is classified as an Arbitrary File Upload with Path Traversal issue. The affected endpoint lacks proper validation of user-supplied data, allowing unauthorized attackers to upload arbitrary files to any location in the victim's file system. The vulnerability has received a CVSS v3.0 base score of 9.1 (CRITICAL) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, indicating high severity with network accessibility and no required privileges or user interaction (NVD, Huntr).

The vulnerability's impact is severe as it enables potential remote code execution (RCE) capabilities. Attackers can write malicious files to critical system locations, such as placing a malicious __init__.py file in the Python's /site-packages/ directory, which could lead to code execution in the context of the application (NVD).