CVE-2024-2029

Name of the Vulnerable Software and Affected Versions mudler/localai versions prior to v2.10.0

Description A command injection issue exists in the TranscriptEndpoint of mudler/localai, specifically within the audioToWav function used for converting audio files to WAV format for transcription. The issue arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attacker to execute arbitrary commands on the host system. Successful exploitation could lead to unauthorized access, data breaches, or other detrimental impacts, depending on the privileges of the process executing the code.

Recommendations For versions prior to v2.10.0, update to version v2.10.0 or later to resolve the issue. As a temporary workaround, consider disabling the audioToWav function in the TranscriptEndpoint until a patch is available. Restrict access to the TranscriptEndpoint to minimize the risk of exploitation.