A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.
The `/api/files/extract-text` endpoint does not enforce authentication, unlike other file handling endpoints in the same application. It lacks the `Depends(get_current_active_user)` dependency, which is used in other endpoints and is responsible for user identity verification. Any person with network access to the application can therefore send requests to this endpoint and initiate file processing without any login.
An attacker can cause server resource exhaustion (DoS through resource exhaustion), information disclosure, and violation of documented application security policies. Due to the lack of authentication requirement, any person with network access to the service can conduct the attack.
Update the application to the version that includes the patch described in commit a6625dc83786ff21d109b0d545ca61b770607ef3 in the GitHub repository. The patch consists of adding the required authentication dependency to the `/api/files/extract-text` endpoint. If an immediate update is not possible, it is recommended to restrict network access to the application (e.g., through a firewall or authenticating reverse proxy).
parisneo/Lollms in versions up to 2.2.0 inclusive
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLollms
APPLollms≤ 2.1.0
Related vulnerabilities
Stored XSS w funkcji create_post platformy lollms — przejęcie konta
Słaby klucz JWT umożliwia privilege escalation w parisneo/lollms
Path Traversal w lollms — nieautoryzowany odczyt plików na Windows
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to acc...
A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specific...