Llamahub · Llamahub · CVE-2024-23730
**Name of the Vulnerable Software and Affected Versions**
LlamaHub (aka llama-hub) versions prior to 0.0.67
**Description**
The OpenAPI and ChatGPT plugin loaders in LlamaHub allow attackers to execute arbitrary code because `safe load` is not used for YAML. This issue enables attackers to execute arbitrary code.
**Recommendations**
For versions prior to 0.0.67, update to version 0.0.67 or later to resolve the issue. As a temporary workaround, consider disabling the OpenAPI and ChatGPT plugin loaders until a patch is available. Restrict access to the YAML loading functionality to minimize the risk of exploitation.