CVE-2024-5182: LocalAI path traversal vulnerability

June 20, 2024

A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the model parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated model parameter, an attacker can traverse the directory structure and target files outside of the intended directory, leading to the deletion of sensitive data. This vulnerability is due to insufficient input validation and sanitization of the model parameter.

References

github.com/advisories/GHSA-cpcx-r2gq-x893
github.com/mudler/LocalAI
github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e
huntr.com/bounties/f7a87f29-c22a-48e8-9fce-b6d5a273e545
nvd.nist.gov/vuln/detail/CVE-2024-5182

Detect and mitigate CVE-2024-5182 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →