CVE-2024-47171
MEDIUMagnai < 1.0.330 - Path Traversal and Arbitrary File Write via Image Upload
Title source: llmDescription
Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement. This does not affect `agnai.chat`, installations using S3-compatible storage, or self-hosting that is not publicly exposed. Version 1.0.330 fixes this vulnerability.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/agnaistic/agnai/security/advisories/GHSA-g54f-66mw-hv66
Scores
CVSS v3
4.3
EPSS
0.0048
EPSS Percentile
37.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
CWE-35
Status
published
Products (2)
agnai/agnai
< 1.0.330
npm/agnai
0 - 1.0.330npm
Published
Sep 26, 2024
Tracked Since
Feb 18, 2026