CVE-2025-51475

Arbitrary File Overwrite (AFO) in superagi.controllers.resources.upload in TransformerOptimus SuperAGI 0.0.14 allows remote attackers to overwrite arbitrary files via unsanitised filenames submitted to the file upload endpoint, due to improper handling of directory traversal in os.path.join() and lack of path validation in get_root_input_dir().
Configurations

Configuration 1 (hide)

cpe:2.3:a:superagi:superagi:0.0.14:*:*:*:*:*:*:*

History

09 Oct 2025, 16:08

Type Values Removed Values Added
First Time Superagi
Superagi superagi
References () https://github.com/TransformerOptimus/SuperAGI - () https://github.com/TransformerOptimus/SuperAGI - Product
References () https://github.com/TransformerOptimus/SuperAGI/pull/1463 - () https://github.com/TransformerOptimus/SuperAGI/pull/1463 - Exploit, Issue Tracking
References () https://www.gecko.security/blog/cve-2025-51475 - () https://www.gecko.security/blog/cve-2025-51475 - Exploit, Third Party Advisory
CPE cpe:2.3:a:superagi:superagi:0.0.14:*:*:*:*:*:*:*

25 Jul 2025, 15:29

Type Values Removed Values Added
Summary
  • (es) Sobrescritura arbitraria de archivos (AFO) en superagi.controllers.resources.upload en TransformerOptimus SuperAGI 0.0.14 permite a atacantes remotos sobrescribir archivos arbitrarios a través de nombres de archivos sin depurar enviados al endpoint de carga de archivos, debido al manejo inadecuado del directory traversal en os.path.join() y la falta de validación de ruta en get_root_input_dir().

22 Jul 2025, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-07-22 20:15

Updated : 2025-10-09 16:08


NVD link : CVE-2025-51475

Mitre link : CVE-2025-51475

CVE.ORG link : CVE-2025-51475


JSON object : View

Products Affected

superagi

  • superagi
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')