CRITICAL🇵🇱 Wersja polska

CVE-2024-5443

CVSS 9.8v3.0pub. 2024-06-22upd. 2026-04-15

CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the `ExtensionBuilder().build_extension()` function. The vulnerability arises from the `/mount_extension` endpoint, where a path traversal issue allows attackers to navigate beyond the intended directory structure. This is facilitated by the `data.category` and `data.folder` parameters accepting empty strings (`""`), which, due to inadequate input sanitization, can lead to the construction of a `package_path` that points to the root directory. Consequently, if an attacker can create a `config.yaml` file in a controllable path, this path can be appended to the `extensions` list and trigger the execution of `__init__.py` in the current directory, leading to remote code execution. The vulnerability affects versions up to 5.9.0, and has been addressed in version 9.8.

🤖 AI Analysis
How it works

The `ExtensionBuilder().build_extension()` function called by the `/mount_extension` endpoint accepts `data.category` and `data.folder` parameters, which can accept empty strings (`""`). The lack of proper sanitization of these input data causes the constructed `package_path` variable to point to the root directory of the file system (path traversal, CWE-29). If an attacker is able to place a `config.yaml` file in a path under their control, that path is added to the `extensions` list, resulting in the execution of the `__init__.py` file located in the current directory — leading to remote code execution.

Impact

An attacker can gain full control over the system on which the lollms application is running, including reading and modifying data as well as executing arbitrary system commands (RCE). The vulnerability is remotely exploitable, without authentication and without user interaction.

Mitigation & patch

The parisneo/lollms software should be updated to version 9.8, in which the vulnerability has been fixed. A patch is also available in the vendor references (commit: 2d0c4e76be93195836ecd0948027e791b8a2626f on GitHub).

Who is affected

parisneo/lollms software in versions up to and including 5.9.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References