CVE-2024-5820 – An unprotected WebSocket connection in stitiona... (How to Fix)

📋 TL;DR

An unprotected WebSocket connection in stitionai/devika allows malicious websites to connect to the backend and issue commands as the authenticated user. This enables unauthorized command execution and potential server-side request forgery. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

stitionai/devika

Versions: Latest version at commit ecee79f

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using the vulnerable WebSocket implementation

📦 What is this software?

Devika by Stitionai

View all CVEs affecting Devika →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing remote code execution, data theft, and complete system control

🟠

Likely Case

Unauthorized command execution leading to data exposure, privilege escalation, and SSRF attacks

🟢

If Mitigated

Limited impact with proper WebSocket authentication and origin validation

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires a malicious website that the victim visits

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Post-commit ecee79f

Vendor Advisory: https://huntr.com/bounties/2ba757bf-8ede-445b-b143-2de7769758a6

Restart Required: Yes

Instructions:

1. Update to latest devika version after commit ecee79f
2. Restart the devika service
3. Verify WebSocket connections now require proper authentication

🔧 Temporary Workarounds

WebSocket Origin Restriction

all

Configure WebSocket server to only accept connections from trusted origins

Configure WebSocket server to validate Origin headers

Network Isolation

all

Restrict WebSocket access to internal networks only

Configure firewall to block external WebSocket connections

🧯 If You Can't Patch

Implement strict CORS policies and WebSocket origin validation
Deploy behind reverse proxy with WebSocket authentication

🔍 How to Verify

Check if Vulnerable:

Check if WebSocket connections are accepted without authentication from any origin

Check Version:

git log --oneline | head -1

Verify Fix Applied:

Test WebSocket connections require proper authentication and origin validation

📡 Detection & Monitoring

Log Indicators:

Unauthorized WebSocket connection attempts
Unexpected command execution logs

Network Indicators:

WebSocket connections from unexpected origins
Unusual command patterns over WebSocket

SIEM Query:

websocket AND (origin NOT IN allowed_origins) OR (command NOT IN allowed_commands)

📊 Metadata

CVE ID: CVE-2024-5820

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: June 27, 2024

Last Updated: July 15, 2025

🔗 References

https://huntr.com/bounties/2ba757bf-8ede-445b-b143-2de7769758a6 Exploit,Third Party Advisory
https://huntr.com/bounties/2ba757bf-8ede-445b-b143-2de7769758a6 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5820, you might also want to check these: