Home » Database

AVID-2026-R1597

Description

Remote Code Execution in mudler/localai (CVE-2024-6983)

Details

mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the localai backend receives inputs not only from the configuration file but also from other inputs, allowing an attacker to upload a binary file and execute malicious code. This can lead to the attacker gaining full control over the system.

Reason for inclusion in AVID: CVE-2024-6983 describes a remote code execution flaw in mudler/localai (v2.17.1) where inputs can cause uploading and execution of a binary, granting full control. LocalAI is used as a backend for AI systems, so this is an AI software stack vulnerability. It affects a software component (dependency) used to build/run AI systems, fitting the general-purpose AI supply chain scope. The report includes explicit RCE (security/safety vuln) details, CWE-94, and CVSS metrics, providing sufficient evidence.

References

Affected or Relevant Artifacts

  • Developer: mudler
  • Deployer: mudler
  • Artifact Details:
TypeName
Systemmudler/localai

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.0
Vector StringCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score8.8
Base Severity🔴 High
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges Required🟢 Low
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity Impact🔴 High
Availability Impact🔴 High

CWE

IDDescription
CWE-94CWE-94 Improper Control of Generation of Code

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2024-09-27
  • Version: 0.3.3
  • AVID Entry