Plateforme
python
Composant
devika
Corrigé dans
-
CVE-2024-5752 describes a critical path traversal vulnerability affecting the stitionai/devika project creation functionality. This flaw allows attackers to manipulate project names to traverse directories, potentially leading to arbitrary file overwrites and, ultimately, remote code execution. The vulnerability impacts versions of devika prior to a fix being released, and mitigation strategies are currently focused on workarounds.
The impact of CVE-2024-5752 is significant due to the potential for remote code execution. An attacker could leverage this vulnerability to overwrite critical system files or inject malicious code into the application's codebase. Successful exploitation could grant an attacker complete control over the affected system, enabling them to steal sensitive data, install malware, or disrupt operations. The ability to traverse directories makes this vulnerability particularly dangerous, as it bypasses typical input validation mechanisms. This vulnerability shares similarities with other path traversal exploits where attackers manipulate file paths to access unauthorized resources.
CVE-2024-5752 was published on 2025-03-20. Currently, there are no known public proof-of-concept exploits. The EPSS score is pending evaluation, but the CRITICAL CVSS score suggests a high probability of exploitation if left unaddressed. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Organizations utilizing stitionai/devika for project management and code generation are at risk, particularly those with limited input validation or inadequate WAF protection. Shared hosting environments where multiple users can create projects are especially vulnerable, as a compromised project could impact other users on the same server.
• python / server:
find /path/to/devika/projects -type f -name '*..*' # Detect files with suspicious names• generic web:
curl -I 'http://your-devika-instance/create_project?name=../../../../etc/passwd' # Check for directory traversal attemptsdisclosure
Statut de l'Exploit
EPSS
2.05% (percentile 84%)
CISA SSVC
Vecteur CVSS
Due to the absence of a fixed version, immediate mitigation is crucial. Implement strict input validation on the project name field, rejecting any names containing directory traversal characters (e.g., '..'). Deploy a Web Application Firewall (WAF) with rules to block requests containing suspicious path traversal patterns. Regularly review and audit project creation logs for any unusual activity. Consider restricting the application's write access to only necessary directories. After implementing these mitigations, carefully review the application's behavior to ensure that project creation functions operate as expected and that no unintended file modifications occur.
Mettez à jour vers la dernière version de Devika qui contient la correction pour la vulnérabilité de traversée de chemin. Assurez-vous de valider et de nettoyer les entrées utilisateur, en particulier les noms de projets, pour éviter la création de chemins malveillants. Examinez la configuration de sécurité de votre environnement pour atténuer le risque d'exécution de code à distance.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-5752 is a critical vulnerability in stitionai/devika allowing attackers to manipulate project names to traverse directories and potentially overwrite files, leading to remote code execution.
If you are using a version of stitionai/devika prior to a fix being released (currently no fixed version available), you are potentially affected by this vulnerability.
As no fixed version is available, mitigation involves strict input validation on project names, WAF rules, and restricting write access to necessary directories.
Currently, there are no known public proof-of-concept exploits or confirmed active exploitation campaigns, but the CRITICAL severity warrants immediate attention.
Refer to the stitionai project repository and security advisories for updates and further information regarding CVE-2024-5752.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.