CVE-2024-47169: Agnai vulnerable to Remote Code Execution via JS Upload using Directory Traversal

September 26, 2024

A vulnerability has been discovered in Agnai that permits attackers to upload arbitrary files to attacker-chosen locations on the server, including JavaScript, enabling the execution of commands within those files. This issue could result in unauthorized access, full server compromise, data leakage, and other critical security threats.

This does not affect:

agnai.chat
installations using S3-compatible storage
self-hosting that is not publicly exposed

This DOES affect:

publicly hosted installs without S3-compatible storage

References

github.com/advisories/GHSA-mpch-89gm-hm83
github.com/agnaistic/agnai
github.com/agnaistic/agnai/security/advisories/GHSA-mpch-89gm-hm83
nvd.nist.gov/vuln/detail/CVE-2024-47169

Code Behaviors & Features

Detect and mitigate CVE-2024-47169 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →