Plattform
python
Komponente
lollms-webui
Behoben in
v14
CVE-2024-8581 is a critical Path Traversal vulnerability affecting parisneo/lollms-webui versions up to and including v14. This vulnerability allows attackers to delete arbitrary files and directories on the system, potentially leading to complete system compromise. The root cause lies in the upload_app function's failure to properly sanitize user-provided filenames. A fix is available in version v14.
The impact of CVE-2024-8581 is severe. An attacker exploiting this vulnerability can delete any file or directory accessible to the lollms-webui process. This includes critical system files, configuration files, and user data. Successful exploitation could lead to a denial of service, data loss, or even complete system takeover. The ability to delete arbitrary files significantly expands the attack surface beyond simple information disclosure, making this a high-priority vulnerability to address. The lack of input validation means an attacker can craft a malicious filename containing path traversal sequences (e.g., ../../../../etc/passwd) to navigate outside the intended upload directory.
CVE-2024-8581 was publicly disclosed on 2025-03-20. The vulnerability's ease of exploitation, combined with the critical impact, suggests a potential for active exploitation. While no public proof-of-concept (PoC) has been identified as of this writing, the simplicity of the attack vector makes it likely that one will emerge. The EPSS score is likely to be assessed as medium to high, reflecting the potential for widespread exploitation.
Organizations running lollms-webui, particularly those using it for sensitive data processing or in environments with limited security controls, are at significant risk. Shared hosting environments where multiple users share the same server are particularly vulnerable, as a compromised lollms-webui instance could potentially impact other users on the same server.
• python / server:
import os
import glob
# Check for suspicious files in upload directories
for dirpath, dirnames, filenames in os.walk('/path/to/lollms-webui/uploads'):
for filename in filenames:
if '..' in filename:
print(f'Suspicious filename detected: {os.path.join(dirpath, filename)}')• linux / server:
# Monitor upload directories for unexpected file modifications
journalctl -f -u lollms-webui | grep 'upload' | grep '..' • generic web:
curl -I 'http://your-lollms-webui/upload_app?filename=../../../../etc/passwd' # Check for 403 or other error indicating access denieddisclosure
patch
Exploit-Status
EPSS
0.22% (45% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-8581 is to upgrade to version v14 of lollms-webui. This version includes the necessary input validation to prevent path traversal attacks. If upgrading immediately is not possible, consider implementing temporary workarounds. Restrict file upload permissions to the lollms-webui user account to limit the scope of potential damage. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious path traversal patterns. Carefully review and restrict the directories accessible to the lollms-webui process. After upgrading, verify the fix by attempting to upload a file with a malicious filename containing path traversal sequences (e.g., ../../../../etc/passwd) and confirming that the upload fails with an appropriate error.
Aktualisieren Sie die parisneo/lollms-webui Anwendung auf Version 14 oder höher. Diese Version enthält eine Korrektur für die Path Traversal Schwachstelle. Es wird empfohlen, das Update so bald wie möglich durchzuführen, um mögliche Angriffe zu vermeiden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-8581 is a critical vulnerability in parisneo/lollms-webui versions ≤v14 that allows attackers to delete files and directories due to insufficient input filtering.
You are affected if you are running lollms-webui versions prior to v14. Immediately assess your environment and upgrade.
Upgrade to version v14 of lollms-webui. If immediate upgrade is not possible, implement temporary workarounds like restricting file upload permissions and using a WAF.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for active campaigns.
Refer to the official parisneo/lollms-webui repository and associated security advisories for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.