Platform
python
Component
netease-youdao/qanything
CVE-2024-12866 describes a Local File Inclusion (LFI) vulnerability discovered in the qanything Python application, developed by netease-youdao. This flaw allows an attacker with local access to the system to read arbitrary files, potentially exposing sensitive data and enabling remote code execution. The vulnerability impacts versions of qanything up to the latest available, and a patch is expected to address the issue.
The impact of CVE-2024-12866 is significant due to the potential for unauthorized access to sensitive information and subsequent remote code execution. An attacker exploiting this vulnerability could read configuration files containing database credentials, SSH private keys, or other sensitive data. Exposure of SSH keys would allow the attacker to gain remote access to the system. Furthermore, access to source code could reveal further vulnerabilities or intellectual property. The blast radius extends to any system running a vulnerable version of qanything, particularly those with publicly accessible file paths or inadequate access controls.
CVE-2024-12866 was publicly disclosed on 2025-03-20. The vulnerability's simplicity and the potential for remote code execution suggest a medium probability of exploitation. There are currently no known public proof-of-concept exploits, but the ease of exploitation makes it likely that one will emerge. The vulnerability has not been added to the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
0.25% (48% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-12866 is to upgrade to a patched version of qanything as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as restricting file access permissions and implementing input validation to prevent malicious file paths from being included. Monitor system logs for unusual file access patterns. While a WAF or proxy cannot directly prevent LFI, they can be configured to detect and block requests containing suspicious file path patterns. After upgrading, verify the fix by attempting to access a non-existent file through the vulnerable endpoint and confirming that access is denied.
Update qanything to a version later than v2.0.0 that fixes the local file inclusion vulnerability. Refer to the project's release notes or changelog for more details on the fix. As a temporary measure, restrict access to sensitive system files and validate user inputs to prevent file path manipulation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12866 is a Local File Inclusion vulnerability in the qanything Python application, allowing attackers to read arbitrary files.
You are affected if you are using qanything version ≤ latest. Check your installed version and upgrade as soon as a patch is available.
Upgrade to a patched version of qanything. Until a patch is available, restrict file access and validate input.
There are currently no known active exploits, but the vulnerability's simplicity suggests a potential for exploitation.
Refer to the netease-youdao project repository and relevant security mailing lists for updates on the advisory and patch release.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.