cbcvebase.
CVE-2025-55523
published 2025-08-21

CVE-2025-55523: An issue in the component /api/download_work_dir_file.py of Agent-Zero v0.8.* allows attackers to execute a directory traversal.

PriorityP274low3.5CVSS 3.1
AVAACLPRLUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.98%
57.7th percentile
An issue in the component /api/download_work_dir_file.py of Agent-Zero v0.8.* allows attackers to execute a directory traversal.

Affected

1 ranges
VendorProductVersion rangeFixed in
agent-zeroagent-zero0.8 – 0.9.4

Detection & IOCsextracted from sources · hover to see the quote

path/api/download_work_dir_file.py
url{{BaseURL}}/download_work_dir_file?path=/etc/passwd
yara
rule CVE_2025_55523_AgentZero_PathTraversal { strings: $re1 = /root:.*:0:0:/ $hdr = "filename=passwd" condition: $re1 and $hdr }
  • Look for unauthenticated GET requests to /download_work_dir_file with a 'path' parameter containing traversal sequences (e.g., '../' or absolute paths like '/etc/passwd').
  • Successful exploitation returns HTTP 200 with a response body matching 'root:.*:0:0:' and a Content-Disposition header containing 'filename=passwd'.
  • Shodan/FOFA exposure: identify internet-facing Agent-Zero instances via title:'Agent Zero' or title="Agent Zero" as potential targets.
  • The vulnerability is unauthenticated (PR:N/UI:N) — no session or credentials are required to exploit the path traversal endpoint.
  • ·Affected versions are Agent-Zero 0.8.0 through 0.9.4 only; instances outside this range are not vulnerable to this specific issue.

CVSS provenance

nvdv3.13.5LOWCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vulncheck3.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.