CVE-2024-5334 - Vulnerability Details - OpenCVE

A local file read vulnerability exists in the stitionai/devika repository, affecting the latest version. The vulnerability is due to improper handling of the 'snapshot_path' parameter in the '/api/get-browser-snapshot' endpoint. An attacker can exploit this vulnerability by crafting a request with a malicious 'snapshot_path' parameter, leading to arbitrary file read from the system. This issue impacts the security of the application by allowing unauthorized access to sensitive files on the server.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Stitionai	Devika

Configuration 1 [-]

cpe:2.3:a:stitionai:devika:1.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2
https://huntr.com/bounties/7eec128b-1bf5-4922-a95c-551ad3695cf6

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.09011}`	epss `{'score': 0.3087}`

Tue, 15 Jul 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Stitionai Stitionai devika
CPEs		cpe:2.3:a:stitionai:devika:1.0:::::::*
Vendors & Products		Stitionai Stitionai devika

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-27T17:33:24.801Z

Updated: 2024-08-01T21:11:12.417Z

Reserved: 2024-05-24T18:28:26.661Z

Link: CVE-2024-5334

Vulnrichment

Updated: 2024-08-01T21:11:12.417Z

NVD

Status : Analyzed

Published: 2024-06-27T18:15:20.223

Modified: 2025-07-15T15:37:39.700

Link: CVE-2024-5334

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5334", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-05-24T18:28:26.661Z", "datePublished": "2024-06-27T17:33:24.801Z", "dateUpdated": "2024-08-01T21:11:12.417Z"}, "containers": {"cna": {"title": "Local File Read in stitionai/devika", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-07-12T07:41:10.793Z"}, "descriptions": [{"lang": "en", "value": "A local file read vulnerability exists in the stitionai/devika repository, affecting the latest version. The vulnerability is due to improper handling of the 'snapshot_path' parameter in the '/api/get-browser-snapshot' endpoint. An attacker can exploit this vulnerability by crafting a request with a malicious 'snapshot_path' parameter, leading to arbitrary file read from the system. This issue impacts the security of the application by allowing unauthorized access to sensitive files on the server."}], "affected": [{"vendor": "stitionai", "product": "stitionai/devika", "versions": [{"version": "unspecified", "lessThan": "-", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/7eec128b-1bf5-4922-a95c-551ad3695cf6"}, {"url": "https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-73 External Control of File Name or Path", "cweId": "CWE-73"}]}], "source": {"advisory": "7eec128b-1bf5-4922-a95c-551ad3695cf6", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "stitionai", "product": "devika", "cpes": ["cpe:2.3:a:stitionai:devika:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "*", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-29T19:31:17.228671Z", "id": "CVE-2024-5334", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T19:45:17.837Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.417Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/7eec128b-1bf5-4922-a95c-551ad3695cf6", "tags": ["x_transferred"]}, {"url": "https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/7eec128b-1bf5-4922-a95c-551ad3695cf6", "tags": ["x_transferred"]}, {"url": "https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.417Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5334", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-29T19:31:17.228671Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:stitionai:devika:*:*:*:*:*:*:*:*"], "vendor": "stitionai", "product": "devika", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "*"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T19:45:13.615Z"}}], "cna": {"title": "Local File Read in stitionai/devika", "source": {"advisory": "7eec128b-1bf5-4922-a95c-551ad3695cf6", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "stitionai", "product": "stitionai/devika", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "-", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/7eec128b-1bf5-4922-a95c-551ad3695cf6"}, {"url": "https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2"}], "descriptions": [{"lang": "en", "value": "A local file read vulnerability exists in the stitionai/devika repository, affecting the latest version. The vulnerability is due to improper handling of the 'snapshot_path' parameter in the '/api/get-browser-snapshot' endpoint. An attacker can exploit this vulnerability by crafting a request with a malicious 'snapshot_path' parameter, leading to arbitrary file read from the system. This issue impacts the security of the application by allowing unauthorized access to sensitive files on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-07-12T07:41:10.793Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5334", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:11:12.417Z", "dateReserved": "2024-05-24T18:28:26.661Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-06-27T17:33:24.801Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stitionai:devika:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "E48B4C29-E925-4C73-BFC6-83FAF8741CCC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A local file read vulnerability exists in the stitionai/devika repository, affecting the latest version. The vulnerability is due to improper handling of the 'snapshot_path' parameter in the '/api/get-browser-snapshot' endpoint. An attacker can exploit this vulnerability by crafting a request with a malicious 'snapshot_path' parameter, leading to arbitrary file read from the system. This issue impacts the security of the application by allowing unauthorized access to sensitive files on the server."}, {"lang": "es", "value": "Control externo del nombre o ruta del archivo en el repositorio de GitHub stitionai/devika antes de -."}], "id": "CVE-2024-5334", "lastModified": "2025-07-15T15:37:39.700", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-06-27T18:15:20.223", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/7eec128b-1bf5-4922-a95c-551ad3695cf6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/7eec128b-1bf5-4922-a95c-551ad3695cf6"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "[email protected]", "type": "Secondary"}]}