upsonic 0.55.6a1749248294

Direct Vulnerabilities

Known vulnerabilities in the upsonic package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Deserialization of Untrusted Data upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `add_tool` endpoint, which listens on TCP port 7541 by default, and uses `cloudpickle.loads()`. An attacker can execute arbitrary code as the service account by sending a malicious serialized payload. How to fix Deserialization of Untrusted Data? Upgrade `upsonic` to version 0.70.0 or higher.	[,0.70.0)
M Directory Traversal upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents Affected versions of this package are vulnerable to Directory Traversal via the `os.path.join` function. An attacker can access or modify files outside the intended directory by manipulating the `file.filename` argument. How to fix Directory Traversal? Upgrade `upsonic` to version 0.56.0 or higher.	[0,0.56.0)
M Deserialization of Untrusted Data upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `cloudpickle.loads` function in the `/tools/add_tool` process. An attacker can execute arbitrary code by providing crafted serialized input. How to fix Deserialization of Untrusted Data? Upgrade `upsonic` to version 0.56.0 or higher.	[0,0.56.0)

Vulnerability

Vulnerable Version

Deserialization of Untrusted Data

upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the add_tool endpoint, which listens on TCP port 7541 by default, and uses cloudpickle.loads(). An attacker can execute arbitrary code as the service account by sending a malicious serialized payload.

How to fix Deserialization of Untrusted Data?

Upgrade upsonic to version 0.70.0 or higher.

[,0.70.0)

Directory Traversal

upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents

Affected versions of this package are vulnerable to Directory Traversal via the os.path.join function. An attacker can access or modify files outside the intended directory by manipulating the file.filename argument.

How to fix Directory Traversal?

Upgrade upsonic to version 0.56.0 or higher.

[0,0.56.0)

Deserialization of Untrusted Data

upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the cloudpickle.loads function in the /tools/add_tool process. An attacker can execute arbitrary code by providing crafted serialized input.

How to fix Deserialization of Untrusted Data?

Upgrade upsonic to version 0.56.0 or higher.

[0,0.56.0)

upsonic@0.55.6a1749248294

Agent Framework For Fintech

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically