# DB-GPT — RCE via sandbox blocklist bypass in unauthenticated code execution API
STATUS: DRAFT
readiness: READY
program: DB-GPT | platform: huntr | repo: eosphoros-ai/DB-GPT | commit: 2026-02-13-scan

````
Repository URL: https://github.com/eosphoros-ai/DB-GPT
Package Manager: pip
Version Affected: latest (observed in 2026-02-13 scan)
Vulnerability Type: Code Injection
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: None
  User Interaction: None
  Scope: Changed
  Confidentiality: High
  Integrity: High
  Availability: High
Title: /execute sandbox uses bypassable string blocklist and enables host command execution
Impact: Unauthenticated attackers can achieve remote code execution on the sandbox host/process, enabling full server compromise and pivoting.
Description:

# Description

DB-GPT sandbox validation relies on substring blocklist checks (e.g., `"import os"`) that are trivially bypassed with alternate syntax such as `from os import system`.

Observed approach:

```python
dangerous_patterns = ["import os", "import subprocess", "__import__", ...]
for pattern in dangerous_patterns:
    if pattern in code_lower:
        warnings.append(...)
```

Runtime then writes code to a file and executes it via subprocess, with no strong OS isolation described in this path.

The scan also indicates `/execute` is unauthenticated, raising exploitability.

# Proof of Concept

1. Send request to code execution endpoint with bypass payload.
2. Use syntax that avoids blocked substrings.
3. Observe command execution side effect/output.

Example request body:

```json
{
  "session_id": "x",
  "code_type": "python",
  "code_content": "from os import system\nsystem('id')"
}
```

Expected vulnerable behavior: payload bypasses blocklist and executes on host runtime.

### Impact

Unauthenticated attackers can achieve remote code execution on the sandbox host/process, enabling full server compromise and pivoting.

### Occurrences

```
Permalink: https://github.com/eosphoros-ai/DB-GPT/blob/main/packages/dbgpt-sandbox/src/dbgpt_sandbox/sandbox/execution_layer/utils.py#L179-L197
Description: insecure blocklist-style pattern matching for code safety validation

Permalink: https://github.com/eosphoros-ai/DB-GPT/blob/main/packages/dbgpt-sandbox/src/dbgpt_sandbox/sandbox/execution_layer/local_runtime.py#L80-L95
Description: accepted code is written and executed via subprocess without robust isolation guarantees
```

### References

```
URL: https://cwe.mitre.org/data/definitions/184.html
Name: CWE-184: Incomplete List of Disallowed Inputs

URL: https://cwe.mitre.org/data/definitions/94.html
Name: CWE-94: Improper Control of Generation of Code

URL: https://owasp.org/www-community/attacks/Command_Injection
Name: OWASP Command Injection
```

Occurrences:
  Permalink: https://github.com/eosphoros-ai/DB-GPT/blob/main/packages/dbgpt-sandbox/src/dbgpt_sandbox/sandbox/execution_layer/utils.py#L179-L197
  Description: insecure blocklist-style pattern matching for code safety validation
  Permalink: https://github.com/eosphoros-ai/DB-GPT/blob/main/packages/dbgpt-sandbox/src/dbgpt_sandbox/sandbox/execution_layer/local_runtime.py#L80-L95
  Description: accepted code is written and executed via subprocess without robust isolation guarantees
References:
  URL: https://cwe.mitre.org/data/definitions/184.html
  Name: CWE-184: Incomplete List of Disallowed Inputs
  URL: https://cwe.mitre.org/data/definitions/94.html
  Name: CWE-94: Improper Control of Generation of Code
  URL: https://owasp.org/www-community/attacks/Command_Injection
  Name: OWASP Command Injection
````