Отправить #791083: SuperAGI up to c3c1982 Path Traversal (CWE-22)Информация

НазваниеSuperAGI up to c3c1982 Path Traversal (CWE-22)
Описание# Technical Details An Arbitrary File Write vulnerability via Path Traversal exists in the `upload` function in `superagi/controllers/resources.py` of SuperAGI. The application fails to sanitize the `file.filename` attribute from the HTTP multipart upload before joining it with the base storage directory. The extension check is only applied to the `name` field (not the actual filename), allowing an attacker to bypass the check and write files to arbitrary locations on the server. # Vulnerable Code File: superagi/controllers/resources.py (lines 71-77) Method: upload Why: The application performs an extension check on the `name` field of the form data, but constructs the file path using the unsanitized `file.filename` attribute. Path traversal sequences (e.g., `../../`) in `file.filename` are preserved, allowing writes outside the intended upload directory. In the default development environment, the endpoint lacks authentication enforcement. # Reproduction 1. Ensure SuperAGI backend is running. 2. Send the following request with a path traversal payload in the filename: curl -s -X POST "http://127.0.0.1:8001/resources/add/1" -F "name=legit_name.txt" -F "size=24" -F "type=text/plain" -F "file=@/tmp/payload.txt;filename=../../../../../../../../../../tmp/pwned_traversal.txt" 3. Verify file was written: docker exec -it superagi-backend cat /tmp/pwned_traversal.txt # Impact - Arbitrary File Write: Attacker can write files to any location on the server filesystem. - Remote Code Execution: By overwriting Python library files, startup scripts, or configuration files, the attacker can achieve RCE. - The vulnerability is exploitable with no authentication in the default development environment (CVSS: Critical).
Источник⚠️ https://gist.github.com/YLChen-007/300843c707435540ce0e23bff3e6173a
Пользователь
 Eric-y (UID 95889)
Представление27.03.2026 13:03 (24 дни назад)
Модерация19.04.2026 18:13 (23 days later)
Статуспринято
Запись VulDB358250 [TransformerOptimus SuperAGI до 0.0.14 Multipart Upload resources.py upload Имя обход каталога]
Баллы20

ПредыдущийОбзорДалее

Might our Artificial Intelligence support you?

Check our Alexa App!