Gecko Research and Publications

An RCE was found in Letta's /v1/tools/run endpoint. This endpoint accepts arbitrary Python source code and environment variables from users, then executes the code using Python's built-in exec() function in a basic sandbox environment.

An LFI vulnerability was found in Dagsters gRPC server implementation. It exists in the ExternalNotebookData endpoint, which is designed to load notebook data for integration with Dagster workflows.

The library's save_external_data function allows arbitrary file overwrite through path traversal. This allows attackers to craft malicious tensor data with specially constructed external_data paths using "../" sequences to escape the intended directory and write to any location on the filesystem where the process has write permissions.

An authorization bypass was found in the Onyx Enterprise Edition's group management functionality. The application intends for Curators to only administer users within groups they are specifically assigned to but a flaw in the API implementation allows unauthorized manipulation of any group within the system.

An AFO was found in SuperAGI's file upload functionality due to insufficient sanitization of user-supplied filenames. The implementation checks file extensions, but it fails to neutralize directory traversal sequences such as ../, allowing attackers to write files outside the intended directory.

An RCE was found in SuperAGI in the AgentTemplate.eval_agent_config method. The vulnerability is caused by the direct use of Python's eval() function on user-controlled input without any sanitization or validation.

Ollama's authentication flow contains a vulnerability in its model pulling mechanism. When a user pulls a model from an HTTPS server that responds with a 401 Unauthorized status, Ollama follows the WWW-Authenticate header's realm URL without validating if it belongs to the same domain as the original request.

A stored cross-site scripting (XSS) was found in Aim Reports allowing malicious Python code to be embedded to execute arbitrary JavaScript in users' browsers.

A path traversal vulnerability was found in AIM server. This vulnerability allows remote attackers to write arbitrary files on the server's filesystem via a malicious tar file extraction.

A stored cross-site scripting (XSS) was found in the dialog configuration functionality. The application fails to properly sanitize user input in the prompt_config fields, particularly in the "Opening greeting" section under "Assistant Setting".

An RCE was found in the plugin upload functionality through the /v1/personal/agent/upload endpoint. While basic controls are in place for filename sanitization and path traversal prevention via _sanitize_filename(), there is no validation of the actual plugin code content.

An SQL injection was found in DB-GPT 0.7.0 despite fixes for prior CVEs (CVE-2024-10835 and CVE-2024-10901).