Cyber Resilience

CVE-2024-5926

CriticalPublic PoC

Published: 30 June 2024

Published
30 June 2024
Modified
10 July 2025
KEV Added
Patch
CVSS Score v3 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0021 43.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5926 is a critical-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Stitionai Devika. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked at the 43.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: Exfiltration via AI Inference API (AML.T0024), External Harms (AML.T0048).

EU & UK References

Vulnerability details

A path traversal vulnerability in the get-project-files functionality of stitionai/devika allows attackers to read arbitrary files from the filesystem and cause a Denial of Service (DoS). This issue is present in all versions of the application. The vulnerability arises due…

more

to insufficient path sanitization for the 'project-name' parameter, enabling attackers to specify paths that traverse the filesystem. By setting 'project-name' to the root directory, an attacker can cause the application to attempt to read the entire filesystem, leading to a DoS condition.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
stitionai/devika is an open-source AI coding agent (Agentic AI Software Engineer), fitting the Enterprise AI Assistants category as it functions as an AI assistant for development tasks.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

Path traversal enables file and directory discovery (T1083) via arbitrary file reads, exploitation of public-facing application (T1190), and endpoint DoS (T1499) via filesystem exhaustion.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0024: Exfiltration via AI Inference APIAML.T0048: External Harms

Affected Assets

stitionai
devika
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References