Gecko Security
Get a Demo
Back to Research
CVSS 5.0mediumCVE-2025-51475

CVE-2025-51475: SuperAGI AFO in File Upload Endpoint

Arbitrary file overwrite vulnerability in SuperAGI's file upload functionality due to insufficient path sanitization.

Gecko Security Research
Gecko Security Team
1/15/2025

Description

An AFO was found in SuperAGI's file upload functionality due to insufficient sanitization of user-supplied filenames. The implementation checks file extensions, but it fails to neutralize directory traversal sequences such as ../, allowing attackers to write files outside the intended directory.

The vulnerability lies in the /api/resources/add/<agent_id> endpoint in the superagi/controllers/resources.py file. The file path is constructed using os.path.join() with a base directory and user-provided filename, without enforcing path constraints. Although extensions are validated, an attacker can append a valid extension (e.g., .pdf) to a malicious filename like ../../../etc/passwd%00.pdf to bypass checks.

The file is written using Python’s open() in binary write mode ('wb'), which allows overwriting existing files. The base directory is retrieved from ResourceHelper.get_root_input_dir, which does not enforce path containment, making arbitrary overwrite possible anywhere within the app’s writeable file system.

Source - Sink Analysis

  1. Source: upload() in superagi/controllers/resources.py

    • Receives file and filename input directly from user upload

  2. Intermediate: get_root_input_dir() in superagi/helper/resource_helper.py

    • Resolves the base storage directory without normalization or validation

  3. Sink: open() in superagi/controllers/resources.py

    • Writes the file using unsanitized path, allowing path traversal

Proof of Concept

To verify this vulnerability, we need to

  1. Create a local file and ensure that it has one of the valid extensions
  2. Create a new "resource" with the local file as a parameter
# create a malicious file
touch anyfile.txt
echo "This is a test file" > anyfile.txt

# create the resource with said file as a parameter
curl -X POST "http://127.0.0.1:3000/api/resources/add/1" \
  -H "Content-Type: multipart/form-data" \
  -F "file=@anyfile.txt" \
  -F "name=../../../../etc/passwd.txt" \
  -F "type=text/plain" \
  -F "size=1024"

Output

{
  "name": "../../../../etc/passwd.txt",
  "path": "/app/workspace/input/test_1/anyfile.txt",
  ...
}

Impact

This vulnerability allows attackers to:

  • Overwrite arbitrary files on the filesystem
  • Bypass application logic and controls
  • Escalate privileges or disrupt service if critical files are overwritten