Agnai vulnerable to Remote Code Execution via JS Upload using Directory Traversal
Description
Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to upload arbitrary files to attacker-chosen locations on the server, including JavaScript, enabling the execution of commands within those files. This issue could result in unauthorized access, full server compromise, data leakage, and other critical security threats. This does not affect agnai.chat, installations using S3-compatible storage, or self-hosting that is not publicly exposed. This does affect publicly hosted installs without S3-compatible storage. Version 1.0.330 fixes this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Agnai chat system versions prior to 1.0.330 permit arbitrary file upload via path traversal, leading to remote code execution.
Vulnerability
Details
CVE-2024-47169 is a critical vulnerability in Agnai, an AI-agnostic multi-user roleplaying chat system, affecting versions prior to 1.0.330. The flaw combines a path traversal weakness (CWE-35) with unrestricted file upload of dangerous file types (CWE-434) [1][2]. Specifically, the _id parameter in the POST /api/chat/{id}/temp-character endpoint is not properly sanitized, allowing an attacker to traverse directories and write files to arbitrary locations on the server [2]. Additionally, the entityUploadBase64 function in srv/api/upload.ts does not validate the filename or content, enabling the upload of arbitrary files including JavaScript [2].
Exploitation and
Impact
An authenticated attacker can exploit this by crafting a request with a path traversal payload in the _id field, uploading a malicious JavaScript file to a location such as the server's application directory [2]. This allows the attacker to execute arbitrary commands on the server when the uploaded file is accessed or triggered. The attack requires network access and low-privilege authentication, and the CVSS 4.0 base score is 9.0 (Critical) [2]. Successful exploitation could lead to unauthorized access, full server compromise, data leakage, and other critical security threats [1][2].
Mitigation and
Scope
This vulnerability does not affect the official agnai.chat instance, installations using S3-compatible storage, or self-hosted instances that are not publicly exposed [1][2]. It specifically impacts publicly hosted installations that do not use S3-compatible storage [1][2]. The issue has been fixed in version 1.0.330, and users are strongly advised to upgrade immediately [1][2]. No workarounds are documented.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
agnainpm | < 1.0.330 | 1.0.330 |
Affected products
3- agnaistic/agnaiv5Range: < 1.0.330
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-mpch-89gm-hm83ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47169ghsaADVISORY
- github.com/agnaistic/agnai/security/advisories/GHSA-mpch-89gm-hm83ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.