AVID-2026-R1629

Description

Local File Inclusion in bentoml/openllm (CVE-2024-8982)

Details

A Local File Inclusion (LFI) vulnerability in OpenLLM version 0.6.10 allows attackers to include files from the local server through the web application. This flaw could expose internal server files and potentially sensitive information such as configuration files, passwords, and other critical data. Unauthorized access to critical server files, such as configuration files, user credentials (/etc/passwd), and private keys, can lead to a complete compromise of the system’s security. Attackers could leverage the exposed information to further penetrate the network, exfiltrate data, or escalate privileges within the environment.

Reason for inclusion in AVID: CVE-2024-8982 describes a Local File Inclusion vulnerability in the OpenLLM component (bentoml/openllm), which is used to deploy and serve AI models. This directly impacts the software stack used to build, package, deploy, run, and manage general-purpose AI systems, qualifying as a software supply-chain issue within AI workflows. The vulnerability can lead to exposure of sensitive local files (configuration data, credentials), representing a security/safety risk in AI deployments. Hardware/firmware is not implicated, and the evidence clearly links to AI software components and deployment tooling.

References

• NVD entry
• https://huntr.com/bounties/b7bdc9a1-51ac-402a-8e6e-0d977699aca6

Affected or Relevant Artifacts

• Developer: bentoml
• Deployer: bentoml
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2025-03-20
• Version: 0.3.3
• AVID Entry