CVE-2024-40422

CRITICAL NUCLEI

stitionai devika v1 - Path Traversal

Title source: llm

Description

The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.

Exploits (2)

exploitdb WORKING POC

by Alperen Ergel · pythonwebappspython

https://www.exploit-db.com/exploits/52066

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by j3r1ch0123 · poc

https://github.com/j3r1ch0123/CVE-2024-40422

View Code ZIP pw:eip

Nuclei Templates (1)

Devika v1 - Path Traversal

CRITICALby s4e-io,alpernae

FOFA: icon_hash="-1429839495"

References (4)

[Third Party Advisory] https://github.com/alpernae/CVE-2024-40422

[Product] https://github.com/stitionai/devika

[Exploit] https://github.com/stitionai/devika/pull/619

[Various Sources] https://medium.com/@alpernae/uncovering-path-traversal-in-devika-v1-a-deep-dive-into-cve-2024-40422-f8ce81398b99

Scores

CVSS v3 9.1

EPSS 0.9121

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-22

Status published

Products (1)

stitionai/devika 1.0

Published Jul 24, 2024

Tracked Since Feb 18, 2026