CVE-2024-9418 in superagi
Summary
by MITRE • 03/20/2025
In version 0.0.14 of transformeroptimus/superagi, the API endpoint `/api/users/get/{id}` returns the user's password in plaintext. This vulnerability allows an attacker to retrieve the password of another user, leading to potential account takeover.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/01/2025
The vulnerability identified as CVE-2024-9418 affects the transformeroptimus/superagi application version 0.0.14 and represents a critical security flaw in the user authentication system. This issue manifests through the improperly secured API endpoint `/api/users/get/{id}` which exposes sensitive user credentials during routine operations. The flaw fundamentally compromises the application's security posture by enabling unauthorized access to user authentication data through a simple API call that should only return basic user information.
This vulnerability constitutes a direct violation of security best practices and can be categorized under CWE-542 - Information Exposure Through External Control. The technical implementation error occurs when the system fails to properly validate or sanitize API responses, resulting in the inclusion of plaintext passwords within the response payload. The flaw exists because the application does not enforce proper access controls or data filtering mechanisms before returning user information, allowing any authenticated or potentially unauthenticated attacker to exploit this endpoint for credential harvesting.
The operational impact of this vulnerability extends beyond simple credential theft, as it creates a pathway for comprehensive account takeover and lateral movement within the application ecosystem. An attacker who gains access to this endpoint can systematically retrieve passwords for multiple users, potentially leading to complete system compromise. This vulnerability aligns with ATT&CK technique T1078 - Valid Accounts, as it enables adversaries to acquire legitimate credentials for unauthorized access. The risk is amplified by the fact that the password exposure occurs without requiring additional authentication or complex exploitation techniques, making it particularly dangerous in environments where users may reuse credentials across multiple systems.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term architectural improvements. The primary fix involves implementing proper access control checks on the `/api/users/get/{id}` endpoint to ensure that password fields are never returned in API responses, regardless of the requesting user's permissions. Additionally, the application should enforce strict data filtering mechanisms that prevent sensitive fields from being exposed through any API endpoint. Implementing comprehensive input validation and output sanitization procedures, along with regular security code reviews, will help prevent similar issues from emerging in future releases. Organizations should also consider implementing rate limiting and monitoring for unusual API access patterns to detect potential exploitation attempts. The fix should align with security frameworks such as OWASP API Security Top 10 and NIST Cybersecurity Framework to ensure comprehensive protection against credential exposure attacks.