We use cookies to improve your experience on our site.
AVID-2026-R1550
Description
Vulnerability CVE-2024-48057
Details
localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage.
Reason for inclusion in AVID: The CVE describes a storage XSS vulnerability in LocalAI (<= 2.20.1) via the delete model API, enabling attacker-controlled payload execution when a homepage is loaded. This is a software vulnerability in an AI model-serving component used in AI pipelines, representing a risk to general-purpose AI systems. The issue pertains to a software supply chain—specifically a dependency/framework used to deploy AI models—rather than hardware/firmware. There is explicit CVE and corroborating references, providing sufficient signal.
References
- NVD entry
- https://rumbling-slice-eb0.notion.site/LocalAI-deleted-model-with-storage-XSS-CSRF-vulnerability-in-mudler-localai-101e3cda9e8c80e0ac12fe418d5dd982?pvs=4
- https://gist.github.com/AfterSnows/1bd7ee5a3a42dbb5f5ff67f7f9c8ccec
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | n/a |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-11-04
- Version: 0.3.3
- AVID Entry