CVE-2024-6139: lollms vulnerable to dot-dot-slash path traversal in XTTS server

June 27, 2024 (updated June 28, 2024)

A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker to write audio files to arbitrary locations on the system and enumerate file paths. The issue arises from improper validation of user-provided file paths in the tts_to_file endpoint.

References

github.com/ParisNeo/lollms
github.com/advisories/GHSA-w9qf-83jg-2x6c
huntr.com/bounties/fd00f112-efd0-40a1-8227-d6733716e4c0
nvd.nist.gov/vuln/detail/CVE-2024-6139

Detect and mitigate CVE-2024-6139 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →