Plataforma
python
Componente
agent-zero
Corregido en
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
CVE-2025-6166 is a problematic Path Traversal vulnerability affecting Agent-Zero versions 0.8.0 through 0.8.4.1. This vulnerability allows attackers to potentially access sensitive files by manipulating the 'path' argument within the image_get function. Upgrading to version 0.8.4.1 addresses this issue and is strongly recommended. The patch identifier is 5db74202d632306a883ccce7339c5bdba0d16c5a.
The Path Traversal vulnerability in Agent-Zero allows an attacker to bypass intended access controls and read arbitrary files on the system where Agent-Zero is running. By crafting a malicious request that manipulates the 'path' parameter in the /python/api/image_get.py endpoint, an attacker could potentially retrieve configuration files, source code, or other sensitive data. The extent of the data accessible depends on the permissions of the Agent-Zero process and the file system structure. While the CVSS score is LOW, successful exploitation could lead to information disclosure and compromise system confidentiality.
CVE-2025-6166 was disclosed on 2025-06-17. There are currently no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations deploying Agent-Zero versions 0.8.0 through 0.8.4.1 are at risk. This includes environments where Agent-Zero is used for image processing or data retrieval, particularly those with publicly accessible API endpoints. Shared hosting environments where Agent-Zero is installed could also be vulnerable if the hosting provider has not applied the update.
• python / server:
import requests
import os
url = 'http://your-agent-zero-server/python/api/image_get.py'
try:
response = requests.get(url, params={'path': '../etc/passwd'}) # Attempt path traversal
if response.status_code == 200:
print("Potential vulnerability detected: Path traversal successful.")
else:
print("Path traversal attempt failed.")
except requests.exceptions.RequestException as e:
print(f"Error: {e}")disclosure
Estado del Exploit
EPSS
0.06% (20% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-6166 is to upgrade Agent-Zero to version 0.8.4.1 or later, which includes the fix. If an immediate upgrade is not feasible, consider implementing input validation on the 'path' parameter within the /python/api/imageget.py endpoint to prevent path traversal attempts. This could involve whitelisting allowed characters or restricting the path to a specific directory. Additionally, review file system permissions to ensure that the Agent-Zero process has only the necessary access rights. After upgrading, confirm the fix by attempting to access a restricted file via the /python/api/imageget.py endpoint with a crafted path traversal payload; access should be denied.
Actualice Agent-Zero a la versión 0.8.4.1 o posterior. Esta versión corrige la vulnerabilidad de recorrido de ruta (path traversal) en la función image_get del archivo /python/api/image_get.py. La actualización mitiga el riesgo de acceso no autorizado a archivos sensibles.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-6166 is a Path Traversal vulnerability affecting Agent-Zero versions 0.8.0 through 0.8.4.1, allowing attackers to potentially access unauthorized files.
You are affected if you are using Agent-Zero versions 0.8.0, 0.8.1, 0.8.2, 0.8.3, or 0.8.4.1. Upgrade to 0.8.4.1 to mitigate the risk.
Upgrade Agent-Zero to version 0.8.4.1 or later. If immediate upgrade is not possible, implement input validation on the 'path' parameter.
As of the current disclosure date, there are no reports of active exploitation of CVE-2025-6166.
Refer to the Agent-Zero project's official communication channels and release notes for the advisory related to CVE-2025-6166.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo requirements.txt y te decimos al instante si estás afectado.