CRITICAL🇵🇱 Wersja polska

CVE-2024-6868

CVSS 9.8v3.1pub. 2024-10-29upd. 2025-10-15

mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. When model configurations specify additional files as archives (e.g., .tar), these archives are automatically extracted after downloading. This behavior can be exploited to perform a 'tarslip' attack, allowing files to be written to arbitrary locations on the server, bypassing checks that normally restrict files to the models directory. This vulnerability can lead to remote code execution (RCE) by overwriting backend assets used by the server.

🤖 AI Analysis
How it works

When model configuration points to additional files as archives (e.g., .tar), LocalAI automatically extracts them after download. This mechanism does not properly verify paths contained in the archive, allowing an attacker to prepare a .tar archive containing files with path traversal in file names (e.g., ../../). As a result, files can be written outside the designated model directory, bypassing security mechanisms. Overwriting backend files used by the server can subsequently lead to RCE.

Impact

An attacker can write arbitrary files to any location on the server file system, and by overwriting backend resources — gain remote code execution (RCE) with the privileges of the LocalAI process.

Mitigation & patch

A patch available in the vendor's repository should be applied (commit a181dd0ebc5d3092fc50f61674d552604fe8ef9c on GitHub) and LocalAI should be updated to a version containing this fix. It is recommended to restrict network access to the LocalAI instance and restrict the server process permissions to the minimum necessary.

Who is affected

mudler/LocalAI version 2.17.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mudler Localai

    APP
    Mudler
    2.17.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-5181CRITICAL9.8PL ✓ten sam produkt

Command injection w LocalAI — pełne przejęcie systemu przez parametr backend

CVE-2024-5182CRITICAL9.1PL ✓ten sam produkt

Path traversal w LocalAI umożliwiający usuwanie dowolnych plików

CVE-2024-2029CRITICAL9.8PL ✓ten sam produkt

Command injection w mudler/LocalAI — endpoint transkrypcji audio

CVE-2024-6983HIGH8.8ten sam produkt

mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the loc...

CVE-2024-9900MEDIUM6.1ten sam produkt

mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality...