CVE-2024-47171
Agnai vulnerable to Relative Path Traversal in Image Upload
Description
### Summary A vulnerability has been discovered in **Agnai** that permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement. This does not affect: - agnai.chat - installations using S3-compatible storage - self-hosting that is not publicly exposed ### CWE-35: Path Traversal https://cwe.mitre.org/data/definitions/35.html ### CVSS4.0 - 2.3 Low CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N ### Details This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the `editCharacter` handler https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140: ```tsx POST /api/character/28cbe508-2fa9-4890-886e-61d73e22006c%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2f%64%69%73%74%2f%64%61%6e%79%61%6e%67 HTTP/1.1 ``` The path traversal character sequence makes it’s way into the `id` variable which is then string interpolated into `filename`. ```jsx export async function entityUpload(kind: string, id: string, attachment?: Attachment) { if (!attachment) return const filename = `${kind}-${id}` return upload(attachment, filename) } ``` https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55 No path normalization is conducted nor checked, so attackers can freely manipulate the path which the file is uploaded to. ### Impact This vulnerability is classified as a path traversal vulnerability. Attackers can upload image files to arbitrary locations, potentially overwriting critical system image files. ### Credit Security research in collaboration with Analyst [Danyang Liu (noe223)](https://github.com/noe233) @noe233
How to fix CVE-2024-47171
To remediate CVE-2024-47171, upgrade the affected package to a fixed version below.
- —upgrade to 1.0.330 or later
Is CVE-2024-47171 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.