CVE-2024-47169

HIGH

agnai < 1.0.330 - Unauthenticated Arbitrary File Write via Path Traversal

Title source: llm

Description

Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to upload arbitrary files to attacker-chosen locations on the server, including JavaScript, enabling the execution of commands within those files. This issue could result in unauthorized access, full server compromise, data leakage, and other critical security threats. This does not affect `agnai.chat`, installations using S3-compatible storage, or self-hosting that is not publicly exposed. This does affect publicly hosted installs without S3-compatible storage. Version 1.0.330 fixes this vulnerability.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/agnaistic/agnai/security/advisories/GHSA-mpch-89gm-hm83

Scores

CVSS v3 8.8

EPSS 0.0076

EPSS Percentile 50.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-35 CWE-434

Status published

Products (2)

agnai/agnai < 1.0.330

npm/agnai 0 - 1.0.330npm

Published Sep 26, 2024

Tracked Since Feb 18, 2026