Blog

CVE-2025-51475: SuperAGI AFO in File Upload Endpoint

April 23, 2025 by Gecko Security Research · Medium 5.0

Arbitrary file overwrite vulnerability in SuperAGI's file upload functionality due to insufficient path sanitization.

Description

An AFO was found in SuperAGI's file upload functionality due to insufficient sanitization of user-supplied filenames. The implementation checks file extensions, but it fails to neutralize directory traversal sequences such as ../, allowing attackers to write files outside the intended directory.

The vulnerability lies in the /api/resources/add/<agent_id> endpoint in the superagi/controllers/resources.py file. The file path is constructed using os.path.join() with a base directory and user-provided filename, without enforcing path constraints. Although extensions are validated, an attacker can append a valid extension (e.g., .pdf) to a malicious filename like ../../../etc/passwd%00.pdf to bypass checks.

The file is written using Python’s open() in binary write mode ('wb'), which allows overwriting existing files. The base directory is retrieved from ResourceHelper.get_root_input_dir, which does not enforce path containment, making arbitrary overwrite possible anywhere within the app’s writeable file system.

Source - Sink Analysis

  1. Source: upload() in superagi/controllers/resources.py

    • Receives file and filename input directly from user upload

  2. Intermediate: get_root_input_dir() in superagi/helper/resource_helper.py

    • Resolves the base storage directory without normalization or validation

  3. Sink: open() in superagi/controllers/resources.py

    • Writes the file using unsanitized path, allowing path traversal

Proof of Concept

To verify this vulnerability, we need to

  1. Create a local file and ensure that it has one of the valid extensions
  2. Create a new "resource" with the local file as a parameter
bash
# create a malicious file
touch anyfile.txt
echo "This is a test file" > anyfile.txt

# create the resource with said file as a parameter
curl -X POST "http://127.0.0.1:3000/api/resources/add/1" \
  -H "Content-Type: multipart/form-data" \
  -F "file=@anyfile.txt" \
  -F "name=../../../../etc/passwd.txt" \
  -F "type=text/plain" \
  -F "size=1024"

Output

bash
{
  "name": "../../../../etc/passwd.txt",
  "path": "/app/workspace/input/test_1/anyfile.txt",
  ...
}

Impact

This vulnerability allows attackers to:

  • Overwrite arbitrary files on the filesystem
  • Bypass application logic and controls
  • Escalate privileges or disrupt service if critical files are overwritten

Product

SuperAGI

Vendor

TransformerOptimus

Version

0.0.14

CVSS

5.0

Summarize with AI
ChatGPTPerplexityGeminiGrokClaude