mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. When model configurations specify additional files as archives (e.g., .tar), these archives are automatically extracted after downloading. This behavior can be exploited to perform a 'tarslip' attack, allowing files to be written to arbitrary locations on the server, bypassing checks that normally restrict files to the models directory. This vulnerability can lead to remote code execution (RCE) by overwriting backend assets used by the server.
When model configuration points to additional files as archives (e.g., .tar), LocalAI automatically extracts them after download. This mechanism does not properly verify paths contained in the archive, allowing an attacker to prepare a .tar archive containing files with path traversal in file names (e.g., ../../). As a result, files can be written outside the designated model directory, bypassing security mechanisms. Overwriting backend files used by the server can subsequently lead to RCE.
An attacker can write arbitrary files to any location on the server file system, and by overwriting backend resources — gain remote code execution (RCE) with the privileges of the LocalAI process.
A patch available in the vendor's repository should be applied (commit a181dd0ebc5d3092fc50f61674d552604fe8ef9c on GitHub) and LocalAI should be updated to a version containing this fix. It is recommended to restrict network access to the LocalAI instance and restrict the server process permissions to the minimum necessary.
mudler/LocalAI version 2.17.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMudler Localai
APPMudler2.17.1
Related vulnerabilities
Command injection w LocalAI — pełne przejęcie systemu przez parametr backend
Path traversal w LocalAI umożliwiający usuwanie dowolnych plików
Command injection w mudler/LocalAI — endpoint transkrypcji audio
mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the loc...
mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality...