CVE-2024-5182

Name of the Vulnerable Software and Affected Versions mudler/localai version 2.14.0 github.com/go-skynet/LocalAI before v2.16.0

Description A path traversal vulnerability exists, allowing an attacker to exploit the model parameter during the model deletion process to delete arbitrary files. By crafting a request with a manipulated model parameter, an attacker can traverse the directory structure and target files outside of the intended directory, leading to the deletion of sensitive data. This issue is due to insufficient input validation and sanitization of the model parameter.

Recommendations For mudler/localai version 2.14.0, update to a version later than 2.14.0. For github.com/go-skynet/LocalAI before v2.16.0, update to version v2.16.0 or later. As a temporary workaround, consider restricting access to the model deletion process to minimize the risk of exploitation. Avoid using the model parameter in the affected API endpoint until the issue is resolved.