CVE-2025-51475 — MEDIUM (5.0)

Vulnerability Description

Arbitrary File Overwrite (AFO) in superagi.controllers.resources.upload in TransformerOptimus SuperAGI 0.0.14 allows remote attackers to overwrite arbitrary files via unsanitised filenames submitted to the file upload endpoint, due to improper handling of directory traversal in os.path.join() and lack of path validation in get_root_input_dir().

CVSS Score

5.0

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Superagi	Superagi	0.0.14

Related Weaknesses (CWE)

CWE-22

References

https://github.com/TransformerOptimus/SuperAGIProduct
https://github.com/TransformerOptimus/SuperAGI/pull/1463ExploitIssue Tracking
https://www.gecko.security/blog/cve-2025-51475ExploitThird Party Advisory

FAQ

What is CVE-2025-51475?

CVE-2025-51475 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Arbitrary File Overwrite (AFO) in superagi.controllers.resources.upload in TransformerOptimus SuperAGI 0.0.14 allows remote attackers to overwrite arbitrary files via unsanitised filenames submitted t...

How severe is CVE-2025-51475?

CVE-2025-51475 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-51475?

Check the references section above for vendor advisories and patch information. Affected products include: Superagi Superagi.