CVE-2024-4897Improper Neutralization of Equivalent Special Elements in WEB UI

CWE-76Improper Neutralization of Equivalent Special Elements3 documents3 sources
Severity
8.4HIGHNVD
EPSS
0.8%
top 26.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Lollms WEB UI
Timeline
PublishedJul 2
Latest updateFeb 18

Description

parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo' feature, which allows attackers to upload and interact with a malicious model file hosted on hugging-face, leading to remote code execution. The issue is linked to a known vulnerability in llama-cpp-python, CVE-2024-34359, which

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.5 | Impact: 5.9

Affected Packages1 packages

Patches

Patch: huntr.comPatch: huntr.com

🔴Vulnerability Details

1
GHSA
GHSA-325v-4jhh-rp36: parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_c2024-07-02

📄Research Papers

1
arXiv
SoK: Understanding Vulnerabilities in the Large Language Model Supply Chain2025-02-18