CVE-2024-5752 describes a critical path traversal vulnerability affecting the stitionai/devika project creation functionality. This flaw allows attackers to manipulate project names to traverse directories, potentially leading to arbitrary file overwrites and, ultimately, remote code execution. The vulnerability impacts versions of devika prior to a fix being released, and mitigation strategies are currently focused on workarounds.
The impact of CVE-2024-5752 is significant due to the potential for remote code execution. An attacker could leverage this vulnerability to overwrite critical system files or inject malicious code into the application's codebase. Successful exploitation could grant an attacker complete control over the affected system, enabling them to steal sensitive data, install malware, or disrupt operations. The ability to traverse directories makes this vulnerability particularly dangerous, as it bypasses typical input validation mechanisms. This vulnerability shares similarities with other path traversal exploits where attackers manipulate file paths to access unauthorized resources.
CVE-2024-5752 was published on 2025-03-20. Currently, there are no known public proof-of-concept exploits. The EPSS score is pending evaluation, but the CRITICAL CVSS score suggests a high probability of exploitation if left unaddressed. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Organizations utilizing stitionai/devika for project management and code generation are at risk, particularly those with limited input validation or inadequate WAF protection. Shared hosting environments where multiple users can create projects are especially vulnerable, as a compromised project could impact other users on the same server.
• python / server:
find /path/to/devika/projects -type f -name '*..*' # Detect files with suspicious names• generic web:
curl -I 'http://your-devika-instance/create_project?name=../../../../etc/passwd' # Check for directory traversal attemptsdisclosure
漏洞利用状态
EPSS
2.05% (84% 百分位)
CISA SSVC
CVSS 向量
Due to the absence of a fixed version, immediate mitigation is crucial. Implement strict input validation on the project name field, rejecting any names containing directory traversal characters (e.g., '..'). Deploy a Web Application Firewall (WAF) with rules to block requests containing suspicious path traversal patterns. Regularly review and audit project creation logs for any unusual activity. Consider restricting the application's write access to only necessary directories. After implementing these mitigations, carefully review the application's behavior to ensure that project creation functions operate as expected and that no unintended file modifications occur.
升级到包含路径遍历漏洞修复程序的 Devika 最新版本。确保验证和清理用户输入,尤其是项目名称,以避免创建恶意路径。审查您环境的安全配置,以降低远程代码执行的风险。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-5752 is a critical vulnerability in stitionai/devika allowing attackers to manipulate project names to traverse directories and potentially overwrite files, leading to remote code execution.
If you are using a version of stitionai/devika prior to a fix being released (currently no fixed version available), you are potentially affected by this vulnerability.
As no fixed version is available, mitigation involves strict input validation on project names, WAF rules, and restricting write access to necessary directories.
Currently, there are no known public proof-of-concept exploits or confirmed active exploitation campaigns, but the CRITICAL severity warrants immediate attention.
Refer to the stitionai project repository and security advisories for updates and further information regarding CVE-2024-5752.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 requirements.txt 文件,立即知道是否受影响。