Cyber Resilience

CVE-2024-2221

CriticalPublic PoC

Published: 10 April 2024

Published
10 April 2024
Modified
14 July 2025
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2553 96.4th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2221 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Qdrant Qdrant. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Similarity Search; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: Hardware (AML.T0010.000), Infer Training Data Membership (AML.T0024.000), Financial Harm (AML.T0048.000).

Deeper analysis

qdrant/qdrant contains a path traversal and arbitrary file upload vulnerability in the /collections/{COLLECTION}/snapshots/upload endpoint that is triggered through the snapshot parameter. The flaw permits an unauthenticated remote attacker to supply a crafted path that writes an arbitrary file to any location on the server filesystem. It is tracked as CVE-2024-2221, carries a CVSS 3.0 score of 9.8, and is associated with CWE-434 and CWE-22.

An attacker with network access can send a malicious upload request that overwrites existing files, resulting in remote code execution or denial of service. Because the endpoint requires no credentials and the attack can be performed in a single request, the issue affects both integrity and availability of the qdrant instance.

The referenced GitHub commit e6411907f0ecf3c2f8ba44ab704b9e4597d9705d and the accompanying huntr report document the corrective changes applied to the snapshot upload handler. The current EPSS of 0.2553 has remained flat since disclosure and does not indicate a subsequent increase in observed exploitation interest.

EU & UK References

Vulnerability details

qdrant/qdrant is vulnerable to a path traversal and arbitrary file upload vulnerability via the `/collections/{COLLECTION}/snapshots/upload` endpoint, specifically through the `snapshot` parameter. This vulnerability allows attackers to upload and overwrite any file on the filesystem, leading to potential remote code execution.…

more

This issue affects the integrity and availability of the system, enabling unauthorized access and potentially causing the server to malfunction.

CWE(s)

AI Security AnalysisAI

AI Category
Similarity Search
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Qdrant is an open-source vector database designed for similarity search on high-dimensional embeddings, commonly used in AI/ML applications for semantic search, RAG, and recommendation systems. The vulnerability affects its API endpoint for snapshot uploads in collections, confirming its relevance to AI similarity search infrastructure.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1543.003 Windows Service Persistence
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.
T1505 Server Software Component Persistence
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
T1543 Create or Modify System Process Persistence
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.
Why these techniques?

Path traversal and arbitrary file upload/overwriting enables exploitation of public-facing application (T1190), modification of existing services (T1031), abuse of server software components for persistence/execution (T1505), and creation/modification of system processes (T1543) leading to RCE.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0010.000: HardwareAML.T0024.000: Infer Training Data MembershipAML.T0048.000: Financial Harm

Affected Assets

qdrant
qdrant
1.7.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References