A security flaw has been discovered in eosphoros-ai db-gpt 0.7.5. Affected is the function importlib.machinery.SourceFileLoader.exec_module of the file /api/v1/…

A critical code injection vulnerability has been discovered in eosphoros-ai db-gpt version 0.7.5. The flaw affects the Flow Import Endpoint component, specifically the importlib.machinery.SourceFileLoader.exec_module function in the /api/v1/serve/awel/flow/import file. Attackers can exploit this vulnerability remotely through file manipulation to achieve code injection. The exploit has been publicly released and is available for active attacks. The vendor was contacted about the disclosure but has not responded.