Scan free
CRITICALCVE-2024-8581CVSS 9.1

CVE-2024-8581: Path Traversal in lollms-webui

Platform

python

Component

lollms-webui

Fixed in

v14

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2024-8581 is a critical Path Traversal vulnerability affecting parisneo/lollms-webui versions up to and including v14. This vulnerability allows attackers to delete arbitrary files and directories on the system, potentially leading to complete system compromise. The root cause lies in the upload_app function's failure to properly sanitize user-provided filenames. A fix is available in version v14.

Python

Detect this CVE in your project

Upload your requirements.txt file and we'll tell you instantly if you're affected.

Upload requirements.txtSupported formats: requirements.txt · Pipfile.lock

Impact and Attack Scenarios

The impact of CVE-2024-8581 is severe. An attacker exploiting this vulnerability can delete any file or directory accessible to the lollms-webui process. This includes critical system files, configuration files, and user data. Successful exploitation could lead to a denial of service, data loss, or even complete system takeover. The ability to delete arbitrary files significantly expands the attack surface beyond simple information disclosure, making this a high-priority vulnerability to address. The lack of input validation means an attacker can craft a malicious filename containing path traversal sequences (e.g., ../../../../etc/passwd) to navigate outside the intended upload directory.

Exploitation Context

CVE-2024-8581 was publicly disclosed on 2025-03-20. The vulnerability's ease of exploitation, combined with the critical impact, suggests a potential for active exploitation. While no public proof-of-concept (PoC) has been identified as of this writing, the simplicity of the attack vector makes it likely that one will emerge. The EPSS score is likely to be assessed as medium to high, reflecting the potential for widespread exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.22% (45% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H9.1CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentlollms-webui
Vendorparisneo
Affected rangeFixed in
unspecified – v14v14

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-8581 is to upgrade to version v14 of lollms-webui. This version includes the necessary input validation to prevent path traversal attacks. If upgrading immediately is not possible, consider implementing temporary workarounds. Restrict file upload permissions to the lollms-webui user account to limit the scope of potential damage. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious path traversal patterns. Carefully review and restrict the directories accessible to the lollms-webui process. After upgrading, verify the fix by attempting to upload a file with a malicious filename containing path traversal sequences (e.g., ../../../../etc/passwd) and confirming that the upload fails with an appropriate error.

How to fix

Update the parisneo/lollms-webui application to version 14 or later. This version contains a fix for the Path Traversal vulnerability. It is recommended to perform the update as soon as possible to prevent potential attacks.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-8581 — Path Traversal in lollms-webui?

CVE-2024-8581 is a critical vulnerability in parisneo/lollms-webui versions ≤v14 that allows attackers to delete files and directories due to insufficient input filtering.

Am I affected by CVE-2024-8581 in lollms-webui?

You are affected if you are running lollms-webui versions prior to v14. Immediately assess your environment and upgrade.

How do I fix CVE-2024-8581 in lollms-webui?

Upgrade to version v14 of lollms-webui. If immediate upgrade is not possible, implement temporary workarounds like restricting file upload permissions and using a WAF.

Is CVE-2024-8581 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for active campaigns.

Where can I find the official lollms-webui advisory for CVE-2024-8581?

Refer to the official parisneo/lollms-webui repository and associated security advisories for the latest information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs