upsonic 0.55.6a1749248294

Direct Vulnerabilities

Known vulnerabilities in the upsonic package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Arbitrary Code Injection upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents Affected versions of this package are vulnerable to Arbitrary Code Injection via the MCP server task creation functionality. An attacker can execute arbitrary operating system commands with the privileges of the running process by crafting MCP tasks that use allowed commands such as `npm` or `npx` with specific argument flags. Note: Version 0.72.0 adds a warning "Stdio servers run arbitrary processes on your machine;" How to fix Arbitrary Code Injection? Upgrade `upsonic` to version 0.72.0 or higher.	[,0.72.0)
C Deserialization of Untrusted Data upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `add_tool` endpoint, which listens on TCP port 7541 by default, and uses `cloudpickle.loads()`. An attacker can execute arbitrary code as the service account by sending a malicious serialized payload. How to fix Deserialization of Untrusted Data? Upgrade `upsonic` to version 0.70.0 or higher.	[,0.70.0)
M Directory Traversal upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents Affected versions of this package are vulnerable to Directory Traversal via the `os.path.join` function. An attacker can access or modify files outside the intended directory by manipulating the `file.filename` argument. How to fix Directory Traversal? Upgrade `upsonic` to version 0.56.0 or higher.	[0,0.56.0)
M Deserialization of Untrusted Data upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `cloudpickle.loads` function in the `/tools/add_tool` process. An attacker can execute arbitrary code by providing crafted serialized input. How to fix Deserialization of Untrusted Data? Upgrade `upsonic` to version 0.56.0 or higher.	[0,0.56.0)

Vulnerability

Vulnerable Version

Arbitrary Code Injection

upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents

Affected versions of this package are vulnerable to Arbitrary Code Injection via the MCP server task creation functionality. An attacker can execute arbitrary operating system commands with the privileges of the running process by crafting MCP tasks that use allowed commands such as npm or npx with specific argument flags.

Note:

Version 0.72.0 adds a warning "Stdio servers run arbitrary processes on your machine;"

How to fix Arbitrary Code Injection?

Upgrade upsonic to version 0.72.0 or higher.

[,0.72.0)

Deserialization of Untrusted Data

upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the add_tool endpoint, which listens on TCP port 7541 by default, and uses cloudpickle.loads(). An attacker can execute arbitrary code as the service account by sending a malicious serialized payload.

How to fix Deserialization of Untrusted Data?

Upgrade upsonic to version 0.70.0 or higher.

[,0.70.0)

Directory Traversal

upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents

Affected versions of this package are vulnerable to Directory Traversal via the os.path.join function. An attacker can access or modify files outside the intended directory by manipulating the file.filename argument.

How to fix Directory Traversal?

Upgrade upsonic to version 0.56.0 or higher.

[0,0.56.0)

Deserialization of Untrusted Data

upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the cloudpickle.loads function in the /tools/add_tool process. An attacker can execute arbitrary code by providing crafted serialized input.

How to fix Deserialization of Untrusted Data?

Upgrade upsonic to version 0.56.0 or higher.

[0,0.56.0)

upsonic@0.55.6a1749248294

Agent Framework For Fintech

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically