CVE-2024-9901

Name of the Vulnerable Software and Affected Versions LocalAI version v2.19.4

Description The issue arises from the delete model API improperly neutralizing input during web page generation, leading to a one-time storage cross-site scripting (XSS) vulnerability. This allows an attacker to store a malicious payload that executes when a user accesses the homepage. The presence of cross-site request forgery (CSRF) can also enable automated malicious requests.

Recommendations For LocalAI version v2.19.4, consider disabling the delete model API until a patch is available to prevent exploitation of the XSS vulnerability. Restrict access to the homepage to minimize the risk of malicious payload execution. Avoid using the delete model API in conjunction with any functionality that may be vulnerable to CSRF to prevent automated malicious requests.