CVE-2024-9415
Published: 20 March 2025
Summary
CVE-2024-9415 is a high-severity Path Traversal (CWE-22) vulnerability in Superagi Superagi. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A Path Traversal vulnerability exists in the file upload functionality of transformeroptimus/superagi version 0.0.14. The flaw, tracked as CWE-22, permits an attacker to supply crafted paths during upload operations, enabling arbitrary file placement on the underlying server with a CVSS 3.0 base score of 8.8.
An authenticated remote attacker with low privileges can exploit the issue over the network without user interaction. Successful exploitation can result in remote code execution or the overwrite of arbitrary files on the server.
The associated EPSS score rose from lower values after public disclosure to a peak of 0.0523 on 2026-04-29 before receding to the current value of 0.0274, indicating a period of increased exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6851
Vulnerability details
A Path Traversal vulnerability exists in the file upload functionality of transformeroptimus/superagi version 0.0.14. This vulnerability allows an attacker to upload an arbitrary file to the server, potentially leading to remote code execution or overwriting any file on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in file upload enables arbitrary file writes on the server (T1190: Exploit Public-Facing Application), facilitating remote code execution via web shell deployment (T1100: Web Shell) or file overwrites.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.