Platform
python
Component
haotian-liu/llava
CVE-2024-12065 describes a local file inclusion (LFI) vulnerability discovered in the LLaVA project, specifically within its gradio web UI component. This flaw allows an attacker to potentially read arbitrary files from the server's file system. The vulnerability affects versions up to the latest release and requires multiple crafted requests to exploit. A fix is expected to be released by the LLaVA maintainers.
The impact of this vulnerability is significant due to the potential for attackers to gain access to sensitive data stored on the server. An attacker could leverage this LFI to read configuration files, source code, or even private keys, depending on the server's file system structure and permissions. Successful exploitation could lead to data breaches, unauthorized access to systems, and potential compromise of the entire environment. While the vulnerability requires multiple requests, the ease of crafting these requests makes it a relatively accessible attack vector. The gradio web UI is often used for demonstration and experimentation, increasing the likelihood of exposure.
CVE-2024-12065 was publicly disclosed on 2025-03-20. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. While no KEV listing exists at the time of writing, the ease of exploitation warrants close monitoring.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-12065 is to upgrade to a patched version of LLaVA as soon as it becomes available. Until a patch is released, several temporary mitigations can be implemented. First, restrict file access permissions on the server to minimize the potential impact of a successful exploit. Second, implement stricter input validation on the gradio web UI component to prevent attackers from manipulating file paths. Consider using a Web Application Firewall (WAF) to filter malicious requests. Regularly review server logs for suspicious activity related to file access attempts.
Actualice la biblioteca haotian-liu/llava a la última versión disponible. Esto debería incluir la corrección para la vulnerabilidad de inclusión de archivos locales. Verifique las notas de la versión para confirmar que la vulnerabilidad CVE-2024-12065 ha sido abordada.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12065 is a vulnerability in LLaVA allowing attackers to read arbitrary files via crafted requests to the gradio web UI. It has a CVSS score of 7.5 (HIGH).
If you are using LLaVA versions up to the latest release and have the gradio web UI enabled, you are potentially affected by this vulnerability.
Upgrade to a patched version of LLaVA as soon as it becomes available. Until then, restrict file access and implement stricter input validation.
As of 2025-03-20, there are no known public exploits or active campaigns targeting this vulnerability, but it should be monitored closely.
Refer to the LLaVA project's official website and GitHub repository for updates and security advisories related to CVE-2024-12065.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.