CVE-2024-10131

Name of the Vulnerable Software and Affected Versions infiniflow/ragflow version 0.11.0

Description The issue concerns a remote code execution vulnerability in the add llm function, located in llm app.py. This function utilizes user-supplied input, specifically req['llm factory'] and req['llm name'], to dynamically instantiate classes from various model dictionaries. Due to inadequate input validation or sanitization, an attacker can potentially execute arbitrary code by providing a malicious value for llm factory, which, when used as an index to these model dictionaries, results in the execution of arbitrary code.

Recommendations For infiniflow/ragflow version 0.11.0, as a temporary workaround, consider disabling the add llm function in llm app.py until a patch is available. Restrict access to the llm app.py module to minimize the risk of exploitation. Avoid using the parameters req['llm factory'] and req['llm name'] in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.