Platform
python
Component
parisneo/lollms
CVE-2024-9597 describes a Path Traversal vulnerability discovered in the /wipe_database endpoint of the parisneo/lollms project, specifically impacting versions up to the latest release. This flaw allows unauthorized deletion of directories on the system, posing a significant risk to data integrity and system stability. The vulnerability stems from insufficient validation of the key parameter within the endpoint. A fix is expected in a future release.
The primary impact of CVE-2024-9597 is the potential for an attacker to gain complete control over the file system. By crafting a malicious HTTP request targeting the /wipe_database endpoint, an attacker can manipulate the key parameter to specify arbitrary file paths. This allows them to delete any directory accessible to the lollms process, including critical system files, configuration files, and user data. Successful exploitation could lead to a complete system compromise, denial of service, and data loss. The blast radius extends to any data stored on the affected system, and depending on the lollms deployment, could impact other services relying on the same infrastructure.
CVE-2024-9597 was publicly disclosed on 2025-03-20. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) exploits have been released, but the ease of exploitation makes it likely that one will emerge. The vulnerability is not currently listed on the CISA KEV catalog. The severity is considered HIGH due to the potential for complete system compromise.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
CVSS Vector
While a patched version of lollms is the recommended solution, immediate mitigation steps can be taken. First, restrict access to the /wipedatabase endpoint using a web application firewall (WAF) or proxy server. Implement strict access control lists (ACLs) to limit which users or IP addresses can access the endpoint. Secondly, implement robust input validation on the key parameter, ensuring it only accepts expected values and does not allow path traversal characters (e.g., ../). Monitor system logs for suspicious file deletion attempts, particularly targeting sensitive directories. Consider temporarily disabling the /wipedatabase endpoint if upgrading is not immediately feasible. After applying mitigations, verify their effectiveness by attempting to access the endpoint with a crafted request containing path traversal sequences.
Actualice la biblioteca parisneo/lollms a la última versión disponible. Esto solucionará la vulnerabilidad de path traversal en el endpoint `/wipe_database`. Asegúrese de validar y sanitizar correctamente las entradas del usuario, especialmente el parámetro `key`, para evitar la manipulación de rutas de archivos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-9597 is a Path Traversal vulnerability in lollms, allowing attackers to delete directories. It affects versions ≤latest and has a HIGH severity rating.
If you are running lollms version ≤latest, you are potentially affected. Assess your environment and implement mitigations immediately.
The recommended fix is to upgrade to a patched version of lollms. Until then, restrict endpoint access and implement input validation.
There is currently no evidence of active exploitation, but the vulnerability's ease of exploitation suggests it may become a target.
Refer to the parisneo/lollms project repository and related security announcements for the official advisory.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.