Agnai File Disclosure Vulnerability: JSON via Path Traversal

Vulnerability

CVE-2024-47170 is a path traversal vulnerability in Agnai, an AI-agnostic multi-user roleplay chat system [1]. The issue resides in the loadMessages handler within agnai/srv/api/json/index.ts, where the file path for reading message files is constructed using string interpolation without sanitization [3]. An attacker can manipulate the params.id parameter to traverse directories, as demonstrated by the proof-of-concept request: GET /api/json/messages/%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2fpackage [3]. This only affects installations where the non-standard JSON_STORAGE feature is enabled, which is intended for local/self-hosted deployments [1][3].

Exploitation

An authenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint [3]. The request bypasses path traversal protections using URL-encoded sequences (e.g., %2e%2e%2f for ../) to read any JSON file on the server that the webserver process has read privileges for [3]. No additional authentication beyond a valid user account is required, and the attack complexity is low, requiring network access [3].

Impact

Successful exploitation allows unauthenticated (or low-privileged) attackers to read arbitrary JSON files, including application configuration files that may contain secrets, API keys, or other sensitive data [1]. This could lead to unauthorized access to other parts of the system or data exposure, as the attacker can exfiltrate confidential information stored in JSON format [3].

Mitigation

The vulnerability is fixed in version 1.0.330 [1][2]. Users with JSON_STORAGE enabled should update immediately. For those who cannot upgrade, disabling JSON_STORAGE or restricting network access to the Agnai instance can reduce exposure [1][3]. The issue was discovered and reported by researchers @ropwareJB and @noe233 [3].