Home » Database

AVID-2026-R1557

Description

Path Traversal in mudler/localai (CVE-2024-5182)

Details

A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the model parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated model parameter, an attacker can traverse the directory structure and target files outside of the intended directory, leading to the deletion of sensitive data. This vulnerability is due to insufficient input validation and sanitization of the model parameter.

Reason for inclusion in AVID: The CVE describes a path traversal vulnerability in mudler/localai, a component used to run AI models. It affects a software package that can be part of GPAI stacks (deployment/runtimes/model-serving), representing a software supply chain issue. It is a security vulnerability with potential impact (arbitrary file deletion) and the report provides explicit details (CVE reference, CWE-22, CVSS metrics, references) sufficient for AVID evaluation.

References

Affected or Relevant Artifacts

  • Developer: mudler
  • Deployer: mudler
  • Artifact Details:
TypeName
Systemmudler/localai

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.0
Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score7.5
Base Severity🔴 High
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability Impact🔴 High

CWE

IDDescription
CWE-22CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2024-06-19
  • Version: 0.3.3
  • AVID Entry