CVE-2024-9900

Name of the Vulnerable Software and Affected Versions mudler/localai version v2.21.1 mudler/localai versions prior to v2.22.0

Description The issue arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution of malicious scripts in the context of the victim's browser, potentially compromising user sessions, stealing session cookies, redirecting users to malicious websites, or manipulating the DOM.

Recommendations For mudler/localai version v2.21.1, update to version v2.22.0 or later to resolve the issue. For mudler/localai versions prior to v2.22.0, update to version v2.22.0 or later to resolve the issue. As a temporary workaround, consider disabling the search functionality until a patch is available. Restrict access to the search module to minimize the risk of exploitation. Avoid using the search functionality in the affected API endpoint until the issue is resolved.