We use cookies to improve your experience on our site.
AVID-2026-R1580
Description
Unprotected WebSocket in stitionai/devika (CVE-2024-5820)
Details
An unprotected WebSocket connection in the latest version of stitionai/devika (commit ecee79f) allows a malicious website to connect to the backend and issue commands on behalf of the user. The backend serves all listeners on the given socket, enabling any such malicious website to intercept all communication between the user and the backend. This vulnerability can lead to unauthorized command execution and potential server-side request forgery.
Reason for inclusion in AVID: CVE-2024-5820 describes an unprotected WebSocket in stitionai/devika enabling remote command execution and potential server-side request forgery. This is a software vulnerability within a backend component that could be used in AI model serving/deployment stacks, i.e., part of the software supply chain for general-purpose AI systems. The issue concerns AI-related software (backend used in AI workflows) and provides CVE, description, and impact details, indicating a clear security vulnerability with evidence.
References
Affected or Relevant Artifacts
- Developer: stitionai
- Deployer: stitionai
- Artifact Details:
| Type | Name |
|---|---|
| System | stitionai/devika |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L |
| Base Score | 7.6 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🟢 Low |
| Availability Impact | 🟢 Low |
CWE
| ID | Description |
|---|---|
| CWE-862 | CWE-862 Missing Authorization |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-06-27
- Version: 0.3.3
- AVID Entry