CVE-2024-5549
📋 TL;DR
A CORS misconfiguration in the stitionai/devika repository allows attackers to steal sensitive information like logs, browser sessions, and settings containing private API keys. This vulnerability also enables attackers to perform actions on behalf of users, such as deleting projects or sending messages. All users running any version of the stitionai/devika repository are affected.
💻 Affected Systems
- stitionai/devika
📦 What is this software?
Devika by Stitionai
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of user accounts, theft of all sensitive data including API keys, unauthorized deletion of projects, and full account takeover allowing further attacks on connected services.
Likely Case
Theft of sensitive information including API keys and session data, unauthorized actions performed on user accounts, and potential lateral movement to other services using stolen credentials.
If Mitigated
No impact if proper CORS validation is implemented and the service is not internet-facing.
🎯 Exploit Status
Exploitation requires the attacker to craft malicious web pages that make cross-origin requests to the vulnerable service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2
Vendor Advisory: https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2
Restart Required: Yes
Instructions:
1. Update to the latest version of stitionai/devika repository. 2. Apply commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2. 3. Restart the application service.
🔧 Temporary Workarounds
Implement CORS restrictions
allConfigure the web server to only allow requests from trusted origins
# Configure CORS in your web server or application framework
# Example for Express.js:
app.use(cors({
origin: ['https://trusted-domain.com'],
credentials: true
}))
Network isolation
linuxRestrict access to the service using firewall rules
# Example iptables rule to restrict access
sudo iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IP] -j ACCEPT
sudo iptables -A INPUT -p tcp --dport [PORT] -j DROP
🧯 If You Can't Patch
- Implement strict CORS policies allowing only trusted origins
- Deploy the service behind a reverse proxy with proper CORS headers
🔍 How to Verify
Check if Vulnerable:
Test if the service responds to cross-origin requests from untrusted domains by attempting to make a request from a different origin using browser developer tools or curl with appropriate headers.Check Version:
Check the git commit hash or version in the repository: git log --oneline -1Verify Fix Applied:
Verify that cross-origin requests from untrusted domains are blocked and only requests from configured trusted origins are allowed.📡 Detection & Monitoring
Log Indicators:
- Multiple failed CORS preflight requests
- Requests with suspicious Origin headers
- Unauthorized access attempts from unexpected origins
Network Indicators:
- Cross-origin requests to sensitive endpoints
- Requests with Origin headers not matching the service domain
SIEM Query:
source="web_server" AND (http.method="OPTIONS" AND http.status="403") OR (http.header.origin!="*" AND NOT http.header.origin IN ["trusted_domain1", "trusted_domain2"])