CVE-2024-3429

Name of the Vulnerable Software and Affected Versions parisneo/lollms versions prior to 9.6

Description A path traversal vulnerability exists in the parisneo/lollms application, specifically within the sanitize path from endpoint and sanitize path functions in lollms corelollmssecurity.py. This vulnerability allows for arbitrary file reading when the application is running on Windows. The issue arises due to insufficient sanitization of user-supplied input, enabling attackers to bypass the path traversal protection mechanisms by crafting malicious input. Successful exploitation could lead to unauthorized access to sensitive files, information disclosure, and potentially a denial of service (DoS) condition by including numerous large or resource-intensive files.

Recommendations As a temporary workaround, consider disabling the sanitize path from endpoint and sanitize path functions in lollms corelollmssecurity.py until a patch is available. Update to version 9.6 or later to resolve the issue.