DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0.
An attacker crafts a malicious payload that bypasses the control mechanism known as 'MCP test'. The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), which means the application does not properly filter input data passed to system calls or commands. This results in the ability to inject and execute arbitrary commands in the context of the application process. The attack can be conducted remotely, without authentication and without user interaction.
An attacker can gain full control over the server — execute arbitrary code, read or modify data, and potentially move laterally within the target network. The maximum CVSS score of 10.0 reflects the full impact on confidentiality, integrity, and availability of both the attacked system and related resources.
DocsGPT must be immediately updated to version 0.16.0 or later. The patch is available in the vendor's GitHub repository: https://github.com/arc53/DocsGPT/releases/tag/0.16.0. Until the update is deployed, it is recommended to restrict network access to the DocsGPT instance (e.g., firewall, VPN) and monitor logs for unexpected system command invocations.
DocsGPT versions 0.15.0 to below 0.16.0 (all deployments: vendor's official website, public and local installations).
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XArc53 Docsgpt
APPArc530.15.0