CVE-2025-51475

Source
https://cve.org/CVERecord?id=CVE-2025-51475
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-51475.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-51475
Published
2025-07-22T20:15:25.727Z
Modified
2026-04-10T05:29:20.146901Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Arbitrary File Overwrite (AFO) in superagi.controllers.resources.upload in TransformerOptimus SuperAGI 0.0.14 allows remote attackers to overwrite arbitrary files via unsanitised filenames submitted to the file upload endpoint, due to improper handling of directory traversal in os.path.join() and lack of path validation in getrootinput_dir().

References

Affected packages

Git / github.com/transformeroptimus/superagi

Affected ranges

Type
GIT
Repo
https://github.com/transformeroptimus/superagi
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.0.14"
        }
    ]
}

Affected versions

v0.*
v0.0.1
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.2
v0.0.3
v0.0.4
v0.0.6
v0.0.7
v0.0.8
v0.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-51475.json"