CVE-2025-0868: 
JavaScript vulnerability analysis and mitigation

A critical Remote Code Execution (RCE) vulnerability (CVE-2025-0868) has been discovered in DocsGPT, affecting versions 0.8.1 through 0.12.0. The vulnerability was disclosed on February 20, 2025, and was reported to CERT Polska. DocsGPT is an open-source genAI tool designed to help users get reliable answers from knowledge sources while avoiding hallucinations (CERT Polska, GitHub DocsGPT).

The vulnerability stems from improper parsing of JSON data using the eval() function, which allows an unauthorized attacker to execute arbitrary Python code via the /api/remote endpoint. The vulnerability has been classified as CWE-77 (Improper Neutralization of Special Elements used in a Command 'Command Injection'). The CVSS v4.0 score is 9.3 (CRITICAL) with the vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (NVD).

The vulnerability allows unauthorized attackers to execute arbitrary Python code remotely on affected systems. This could potentially lead to complete system compromise, data theft, or service disruption, as the attack requires no authentication and can be executed remotely (CERT Polska).

Users running DocsGPT versions 0.8.1 through 0.12.0 should upgrade to a newer version when available. As this is a recently disclosed vulnerability, users should monitor the official DocsGPT GitHub repository for security updates and patches (GitHub DocsGPT).

The vulnerability has gained attention in the cybersecurity community, being featured in The Hacker News' weekly recap alongside other significant security issues, indicating its importance in the current threat landscape (The Hacker News).