External risk intelligence

Open Source GPT Researcher Command Execution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-65720

GPT Researcher is an open-source framework typically run as a local development tool or internal research agent rather than a public-facing edge service. While it involves web interactions that could be exposed, it is not designed to be an internet-facing gateway or public-facing API service in standard deployment patterns.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves an open-source tool for AI research that could allow an attacker to run unauthorized commands on a system if a user interacts with a malicious web page. While the tool isn't typically exposed to the internet, its potential for misuse warrants careful attention to confirm its presence and exposure within our environment.

  • Unsafe commands can be run through web interaction.
  • Confirms if this AI research tool is in use.
  • Assess if the tool is exposed to unauthorized access.

Attack Path

How an attacker could exploit the issue

An attacker can target users by sending them a malicious HTML page. When the user interacts with this page, the vulnerability in Open Source GPT Researcher could allow an attacker to run commands on the victim's system, potentially leading to a full system compromise.

  • No special access needed.
  • User interaction with a crafted HTML page.
  • Arbitrary command execution on victim system.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary commands on a victim system when a user interacts with a specially crafted HTML page. The affected system's data, behavior, and sensitive information could be compromised under these conditions.

  • System commands and data could be affected.
  • Exposure may occur via user interaction with HTML.
  • Arbitrary code execution is a realistic consequence.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts Open Source GPT Researcher, likely deployed by development or research teams. The primary action is to identify all instances, determine their exposure and criticality, and locate the accountable owner for remediation planning.

  • Application owners should manage this.
  • Verify exposure and business criticality.
  • Plan remediation and coordinate with vendors.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is GPT Researcher?

GPT Researcher is an open-source framework designed to automate online research tasks. Developers and research teams use it as an autonomous agent to scrape, aggregate, and analyze web data to generate reports. It is typically deployed as a local development tool or an internal service within an organization's environment to support AI-driven information gathering workflows.

What does CWE-77 mean for CVE-2025-65720?

CWE-77 refers to Improper Neutralization of Special Elements used in a Command, commonly known as Command Injection. In the context of this CVE, it means the application fails to properly filter or sanitize user-supplied input before passing it to a system shell. This weakness allows an attacker to manipulate the input to execute unauthorized, arbitrary commands on the underlying host operating system.

How does an attacker trigger this vulnerability?

An attacker triggers this issue by tricking a user into interacting with a specially crafted HTML page. When the user loads or interacts with this malicious content, it exploits the application's unsafe handling of commands. Simply having the software installed is not enough to trigger the bug; the exploit path requires this specific user-driven web interaction to execute malicious commands on the victim's system.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal notes that GPT Researcher is usually an internal tool, not a public-facing gateway or API. While the threat is technically rated as having a network attack vector, its standard deployment as a private development or research agent reduces the likelihood of direct internet exposure. You should assess whether your instances are accidentally reachable from external networks to determine your specific risk level.

What should I do if I use GPT Researcher?

Start by identifying every instance of the software across your development and research environments to build an accurate inventory. Once located, verify who is responsible for each deployment and determine if the service is reachable from outside your secure network. Finally, work with your team to review the software's current status and coordinate with the project maintainers for any available updates or guidance.

References