Plattform
python
Komponente
haotian-liu/llava
CVE-2024-12065 describes a local file inclusion (LFI) vulnerability discovered in the LLaVA project, specifically within its gradio web UI component. This flaw allows an attacker to potentially read arbitrary files from the system, leading to sensitive data exposure or further exploitation. The vulnerability affects versions up to the latest release and has been published on 2025-03-20. Mitigation involves implementing robust input validation and restricting file access.
The impact of this vulnerability is significant due to the potential for arbitrary file access. An attacker could leverage this LFI to read configuration files containing credentials, source code exposing intellectual property, or other sensitive data. Depending on the system's configuration and permissions, an attacker might be able to escalate privileges or gain further access to the underlying infrastructure. While not directly leading to remote code execution, the information gained from file access could be used to identify and exploit other vulnerabilities. This vulnerability shares similarities with other LFI exploits where attackers use path traversal techniques to bypass security controls.
CVE-2024-12065 is not currently listed on the CISA KEV catalog. The EPSS score is likely to be medium, given the public disclosure and the relatively straightforward nature of LFI exploitation. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of exploitation. The vulnerability was published on 2025-03-20.
Users deploying LLaVA for research or experimentation, particularly those using the gradio web UI for interactive demonstrations, are at risk. Shared hosting environments where LLaVA is deployed alongside other applications are also vulnerable, as a successful exploit could potentially compromise the entire host.
• python / server:
import os
import requests
# Target URL
url = "http://your-llava-server/gradio_app"
# Attempt to read a sensitive file
file_to_read = "/etc/passwd"
# Craft the request
params = {'file': file_to_read}
# Send the request
response = requests.get(url, params=params)
# Check the response
if response.status_code == 200:
print(f"File content: {response.text}")
else:
print(f"Request failed with status code: {response.status_code}")• linux / server:
# Monitor access logs for suspicious file requests
grep -i "/etc/passwd" /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.14% (34% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-12065 is to apply the vendor-provided fix, which involves implementing proper input validation within the gradio web UI component. Until a fix is available, consider restricting file access permissions to the LLaVA application. Implement a Web Application Firewall (WAF) with rules to block suspicious path traversal attempts (e.g., '../' sequences). Monitor access logs for unusual file requests and implement intrusion detection signatures to identify potential exploitation attempts. After applying the fix, confirm by attempting to access a non-existent file through the gradio UI and verifying that access is denied.
Actualice la biblioteca haotian-liu/llava a la última versión disponible. Esto debería incluir la corrección para la vulnerabilidad de inclusión de archivos locales. Verifique las notas de la versión para confirmar que la vulnerabilidad CVE-2024-12065 ha sido abordada.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-12065 is a vulnerability in LLaVA allowing attackers to read arbitrary files via crafted requests to the gradio web UI. It has a CVSS score of 7.5 (HIGH).
If you are using LLaVA versions up to the latest release and have the gradio web UI enabled, you are potentially affected by this vulnerability.
Upgrade to a patched version of LLaVA as soon as it becomes available. Until then, restrict file access and implement stricter input validation.
As of 2025-03-20, there are no known public exploits or active campaigns targeting this vulnerability, but it should be monitored closely.
Refer to the LLaVA project's official website and GitHub repository for updates and security advisories related to CVE-2024-12065.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.