Cyber Resilience

CVE-2024-40422

CriticalPublic PoC

Published: 24 July 2024

Published
24 July 2024
Modified
29 January 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.9057 99.6th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40422 is a critical-severity Path Traversal (CWE-22) vulnerability in Stitionai Devika. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-40422 is a path traversal vulnerability (CWE-22) affecting the snapshot_path parameter of the /api/get-browser-snapshot endpoint in stitionai devika v1. An unauthenticated remote attacker can supply directory traversal sequences in this parameter to read arbitrary files on the underlying server, resulting in high-impact disclosure and potential integrity compromise. The issue carries a CVSS 3.1 score of 9.1.

An attacker with network access can directly invoke the endpoint and manipulate snapshot_path to escape the intended directory, retrieving sensitive system or application files without authentication or user interaction. Successful exploitation grants read access to critical configuration or source files, undermining confidentiality and integrity while leaving availability unaffected.

Public references include a GitHub pull request (#619) in the stitionai/devika repository along with a detailed technical write-up, indicating that a fix has been proposed in the project. The associated EPSS score remains elevated near 0.91 with a recorded peak of 0.93.

EU & UK References

Vulnerability details

The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to…

more

unauthorized access to critical system files and compromise the confidentiality and integrity of the system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

stitionai
devika
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References