Platform
python
Component
transformeroptimus/superagi
CVE-2024-9415 describes a Path Traversal vulnerability discovered in the file upload functionality of transformeroptimus/superagi versions 0.0.14 and earlier. This flaw allows malicious actors to upload arbitrary files to the server, bypassing intended security controls. The vulnerability impacts all users running affected versions of SuperAGI and poses a significant risk of unauthorized access and code execution. A fix is expected to be released by the vendor.
The primary impact of CVE-2024-9415 is the ability for an attacker to upload arbitrary files to the SuperAGI server. This can be exploited to overwrite critical system files, inject malicious code (e.g., a web shell), or exfiltrate sensitive data. Successful exploitation could lead to complete server compromise, allowing an attacker to gain persistent access and control over the system. The blast radius extends to any data stored on the server and potentially to other systems accessible from the compromised server, depending on the SuperAGI deployment environment and network configuration. This vulnerability shares similarities with other path traversal exploits where attackers leverage predictable file system structures to bypass access controls.
CVE-2024-9415 was publicly disclosed on 2025-03-20. Currently, there are no known active campaigns targeting this vulnerability, but the availability of a public description increases the likelihood of exploitation. No public proof-of-concept (PoC) code has been released at the time of this writing. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
1.35% (80% percentile)
CISA SSVC
CVSS Vector
While a patched version of SuperAGI is the definitive solution, immediate mitigation steps can reduce the risk. First, restrict the upload directory to a specific, isolated location, preventing access to sensitive system files. Implement strict file type validation on the server-side, rejecting any uploads that do not conform to expected formats. Consider using a Web Application Firewall (WAF) to filter out malicious requests attempting to exploit the path traversal vulnerability. Regularly review and audit file upload processes to identify and address potential weaknesses. After upgrading to a patched version, verify the fix by attempting to upload a file with a deliberately invalid or unexpected path.
Actualice SuperAGI a una versión posterior a 0.0.14 que corrija la vulnerabilidad de Path Traversal. Consulte las notas de la versión o el registro de cambios para obtener detalles sobre la corrección. Como medida preventiva, revise y valide las rutas de los archivos cargados por los usuarios para evitar el acceso a directorios no autorizados.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-9415 is a Path Traversal vulnerability in SuperAGI versions up to the latest, allowing attackers to upload arbitrary files potentially leading to code execution.
If you are running SuperAGI version 0.0.14 or earlier, you are affected by this vulnerability and should prioritize patching.
Upgrade to a patched version of SuperAGI as soon as it becomes available. In the meantime, implement mitigation steps like restricting upload paths and validating file types.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the transformeroptimus/superagi project repository and associated security advisories for updates and official guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.