AVID-2026-R1526

Description

Remote Code Execution due to LFI in ‘/install_extension’ in parisneo/lollms-webui (CVE-2024-4320)

Details

A remote code execution (RCE) vulnerability exists in the ‘/install_extension’ endpoint of the parisneo/lollms-webui application, specifically within the @router.post("/install_extension") route handler. The vulnerability arises due to improper handling of the name parameter in the ExtensionBuilder().build_extension() method, which allows for local file inclusion (LFI) leading to arbitrary code execution. An attacker can exploit this vulnerability by crafting a malicious name parameter that causes the server to load and execute a __init__.py file from an arbitrary location, such as the upload directory for discussions. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to remote code execution without requiring user interaction, especially when the application is exposed to an external endpoint or operated in headless mode.

Reason for inclusion in AVID: CVE-2024-4320 describes a remote code execution due to local file inclusion in the install_extension endpoint of parisneo/lollms-webui. This is a vulnerability in a software component used to deploy/serve AI models (AI web UI extension loading), i.e., part of the AI software stack. It is a security vulnerability (RCE) with a CVSS score and CWE-29, providing clear evidence of exploitation potential in AI deployment tooling. Therefore it is relevant to the AI supply chain and should be kept for AVID curation.

References

• NVD entry
• https://huntr.com/bounties/d6564f04-0f59-4686-beb2-11659342279b

Affected or Relevant Artifacts

• Developer: parisneo
• Deployer: parisneo
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-06-06
• Version: 0.3.3
• AVID Entry