cbcvebase.
CVE-2024-2029
published 2024-04-10

CVE-2024-2029: A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioToWav` function used for converting audio…

PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.88%
85.1th percentile
A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioToWav` function used for converting audio files to WAV format for transcription. The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attacker to execute arbitrary commands on the host system. Successful exploitation could lead to unauthorized access, data breaches, or other detrimental impacts, depending on the privileges of the process executing the code.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comgo-skynet_localai>= 0 < 2.10.02.10.0
mudlerlocalai< 2.10.02.10.0
mudlermudler_localai>= unspecified < v2.10.0v2.10.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.