CVE-2024-5181

Name of the Vulnerable Software and Affected Versions mudler/localai version 2.14.0

Description A command injection issue exists due to the application's handling of the backend parameter in the configuration file. This parameter is used in the name of the initialized process, allowing an attacker to exploit the vulnerability by manipulating the path of the vulnerable binary file. The issue arises from improper neutralization of special elements used in an OS command, potentially leading to full control over the affected system.

Recommendations For mudler/localai version 2.14.0, consider restricting access to the configuration file to prevent manipulation of the backend parameter until a patch is available. As a temporary workaround, avoid using the vulnerable binary file specified in the backend parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.