GHSL-2024-193_GHSL-2024-194: Zero click RCE vulnerability in Cognita

Coordinated Disclosure Timeline

• 2024-08-28: Report sent via PVR.
• 2024-10-22: Patch for arbitrary file write vulnerability (GHSL-2024-194).
• 2024-02-13: Patch for CORS misconfiguration (GHSL-2024-193).

Summary

Cognita is vulnerable to a zero click remote code execution (RCE) vulnerability in certain configurations, including the default Docker setup. If a Cognita user visits an attacker website, an attacker may be able to get remote code execution in the context of the Cognita instance.

Project

Cognita

Tested Version

Latest

Details

Issue 1: CORS misconfiguration in backend API server (GHSL-2024-193)

An insecure CORS configuration in the Cognita backend server allows arbitrary websites to send cross site requests to the application.

app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

Impact

This issue may lead to Privilege Escalation. An unauthorized attacker may be able to access the backend API without the user’s knowledge.

Issue 2: Arbitrary File Write (GHSL-2024-194)

A path traversal issue exists at /v1/internal/upload-to-local-directory which is enabled when the Local env variable is set to true, such as when Cognita is setup using Docker.

@router.post("/upload-to-local-directory")
async def upload_to_docker_directory(
    upload_name: str = Form(
        default_factory=lambda: str(uuid.uuid4()), regex=r"^[a-z][a-z0-9-]*$"
    ),
    files: List[UploadFile] = File(...),
):
...
        for file in files:
            logger.info(f"Copying file: {file.filename}, to folder: {folder_path}")
            file_path = os.path.join(folder_path, file.filename)
            with open(file_path, "wb") as f:
                f.write(file.file.read())

Because the docker environment sets up the backend uvicorn server with auto reload enabled, when an attacker overwrites the /app/backend/__init__.py file, the file will automatically be reloaded and executed. This allows an attacker to get remote code execution in the context of the Docker container.

This vulnerability was found with the help of CodeQL’s Python Path Injection Query

Impact

This issue may lead to Remote Code Execution.

CVE

• CVE-2025-27518 - GHSL-2024-193
• CVE-2025-27519 - GHSL-2024-194

Credit

These issues were discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-193 or GHSL-2024-194 in any communication regarding these issues.