CVE-2024-5548

A directory traversal vulnerability exists in the stitionai/devika repository, specifically within the /api/download-project endpoint. Attackers can exploit this vulnerability by manipulating the ‘project_name’ parameter in a GET request to download arbitrary files from the system. This issue affects the latest version of the repository. The vulnerability arises due to insufficient input validation in the ‘download_project’ function, allowing attackers to traverse the directory structure and access files outside the intended directory. This could lead to unauthorized access to sensitive files on the server.

More information : https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2