Platform
python
Component
devika
Fixed in
-
CVE-2024-5752 describes a critical path traversal vulnerability affecting the stitionai/devika project creation functionality. This flaw allows attackers to manipulate project names to traverse directories, potentially leading to arbitrary file overwrites and, ultimately, remote code execution. The vulnerability impacts versions of devika prior to a fix being released, and mitigation strategies are currently focused on workarounds.
The impact of CVE-2024-5752 is significant due to the potential for remote code execution. An attacker could leverage this vulnerability to overwrite critical system files or inject malicious code into the application's codebase. Successful exploitation could grant an attacker complete control over the affected system, enabling them to steal sensitive data, install malware, or disrupt operations. The ability to traverse directories makes this vulnerability particularly dangerous, as it bypasses typical input validation mechanisms. This vulnerability shares similarities with other path traversal exploits where attackers manipulate file paths to access unauthorized resources.
CVE-2024-5752 was published on 2025-03-20. Currently, there are no known public proof-of-concept exploits. The EPSS score is pending evaluation, but the CRITICAL CVSS score suggests a high probability of exploitation if left unaddressed. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
2.05% (84% percentile)
CISA SSVC
CVSS Vector
Due to the absence of a fixed version, immediate mitigation is crucial. Implement strict input validation on the project name field, rejecting any names containing directory traversal characters (e.g., '..'). Deploy a Web Application Firewall (WAF) with rules to block requests containing suspicious path traversal patterns. Regularly review and audit project creation logs for any unusual activity. Consider restricting the application's write access to only necessary directories. After implementing these mitigations, carefully review the application's behavior to ensure that project creation functions operate as expected and that no unintended file modifications occur.
Update to the latest version of Devika that contains the fix for the path traversal vulnerability. Ensure you validate and sanitize user inputs, especially project names, to prevent the creation of malicious paths. Review your environment's security configuration to mitigate the risk of remote code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-5752 is a critical vulnerability in stitionai/devika allowing attackers to manipulate project names to traverse directories and potentially overwrite files, leading to remote code execution.
If you are using a version of stitionai/devika prior to a fix being released (currently no fixed version available), you are potentially affected by this vulnerability.
As no fixed version is available, mitigation involves strict input validation on project names, WAF rules, and restricting write access to necessary directories.
Currently, there are no known public proof-of-concept exploits or confirmed active exploitation campaigns, but the CRITICAL severity warrants immediate attention.
Refer to the stitionai project repository and security advisories for updates and further information regarding CVE-2024-5752.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.