Plattform
python
Komponente
agent-zero
Behoben in
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
CVE-2025-6166 is a problematic Path Traversal vulnerability affecting Agent-Zero versions 0.8.0 through 0.8.4.1. This vulnerability allows attackers to potentially access sensitive files by manipulating the 'path' argument within the image_get function. Upgrading to version 0.8.4.1 addresses this issue and is strongly recommended. The patch identifier is 5db74202d632306a883ccce7339c5bdba0d16c5a.
The Path Traversal vulnerability in Agent-Zero allows an attacker to bypass intended access controls and read arbitrary files on the system where Agent-Zero is running. By crafting a malicious request that manipulates the 'path' parameter in the /python/api/image_get.py endpoint, an attacker could potentially retrieve configuration files, source code, or other sensitive data. The extent of the data accessible depends on the permissions of the Agent-Zero process and the file system structure. While the CVSS score is LOW, successful exploitation could lead to information disclosure and compromise system confidentiality.
CVE-2025-6166 was disclosed on 2025-06-17. There are currently no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations deploying Agent-Zero versions 0.8.0 through 0.8.4.1 are at risk. This includes environments where Agent-Zero is used for image processing or data retrieval, particularly those with publicly accessible API endpoints. Shared hosting environments where Agent-Zero is installed could also be vulnerable if the hosting provider has not applied the update.
• python / server:
import requests
import os
url = 'http://your-agent-zero-server/python/api/image_get.py'
try:
response = requests.get(url, params={'path': '../etc/passwd'}) # Attempt path traversal
if response.status_code == 200:
print("Potential vulnerability detected: Path traversal successful.")
else:
print("Path traversal attempt failed.")
except requests.exceptions.RequestException as e:
print(f"Error: {e}")disclosure
Exploit-Status
EPSS
0.06% (20% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-6166 is to upgrade Agent-Zero to version 0.8.4.1 or later, which includes the fix. If an immediate upgrade is not feasible, consider implementing input validation on the 'path' parameter within the /python/api/imageget.py endpoint to prevent path traversal attempts. This could involve whitelisting allowed characters or restricting the path to a specific directory. Additionally, review file system permissions to ensure that the Agent-Zero process has only the necessary access rights. After upgrading, confirm the fix by attempting to access a restricted file via the /python/api/imageget.py endpoint with a crafted path traversal payload; access should be denied.
Actualice Agent-Zero a la versión 0.8.4.1 o posterior. Esta versión corrige la vulnerabilidad de path traversal en la función image_get del archivo /python/api/image_get.py. La actualización mitiga el riesgo de acceso no autorizado a archivos sensibles.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-6166 is a Path Traversal vulnerability affecting Agent-Zero versions 0.8.0 through 0.8.4.1, allowing attackers to potentially access unauthorized files.
You are affected if you are using Agent-Zero versions 0.8.0, 0.8.1, 0.8.2, 0.8.3, or 0.8.4.1. Upgrade to 0.8.4.1 to mitigate the risk.
Upgrade Agent-Zero to version 0.8.4.1 or later. If immediate upgrade is not possible, implement input validation on the 'path' parameter.
As of the current disclosure date, there are no reports of active exploitation of CVE-2025-6166.
Refer to the Agent-Zero project's official communication channels and release notes for the advisory related to CVE-2025-6166.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.