lollms 5.9.5 vulnerabilities

Known vulnerabilities in the lollms package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Missing Critical Step in Authentication lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Missing Critical Step in Authentication due to a missing `check_access()` call in the `install_binding()` function. An attacker can add, modify, and remove bindings by accessing the `/install_binding` and `/reinstall_binding` endpoints. How to fix Missing Critical Step in Authentication? A fix was pushed into the `master` branch but not yet published.	[0,)
C Arbitrary Command Injection lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Arbitrary Command Injection in the `calculate()` function, which uses the `eval()` function without sufficient protection. An attacker can execute commands on the server by injecting builtin Python commands in a way which bypasses the `__builtins__` block, to load unauthorized modules. How to fix Arbitrary Command Injection? Upgrade `lollms` to version 11.0.0 or higher.	[,11.0.0)
M Directory Traversal lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Directory Traversal over the `wipe_database` endpoint. An attacker can delete any directory on the target filesystem by sending a specially crafted HTTP request that manipulates the `key` parameter used to construct file paths. How to fix Directory Traversal? A fix was pushed into the `master` branch but not yet published.	[0,)
M Relative Path Traversal lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Relative Path Traversal in the `sanitize_path()` function, which does not account for `./` sequences in pathnames. An attacker can bypass the sanitization to access the contents of `personality_folder`. This vulnerability is a bypass to the fix introduced for the vulnerability described in CVE-2024-6985. How to fix Relative Path Traversal? A fix was pushed into the `master` branch but not yet published.	[0,)
M Cross-site Scripting (XSS) lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `sanitize_svg` function. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	[0,)
M Directory Traversal lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Directory Traversal through the `lollms_file_system.py` file. An attacker can manipulate file paths to access or modify files outside of the intended directories by supplying malicious input to the functions `add_rag_database`, `toggle_mount_rag_database`, and `vectorize_folder`. How to fix Directory Traversal? Upgrade `lollms` to version 9.5.1 or higher.	[,9.5.1)
M Relative Path Traversal lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Relative Path Traversal due to improper sanitization of the `personality_folder` parameter. An attacker can read any folder in the `personality_folder` on the victim's computer by exploiting the ability to traverse directories and access arbitrary files through the `open_personality_folder` endpoint. How to fix Relative Path Traversal? Upgrade `lollms` to version 9.5.1 or higher.	[,9.5.1)
H Directory Traversal lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Directory Traversal through the `apply_settings` function. An attacker can manipulate the path and potentially write to important system folders by exploiting the inadequate security of the `sanitize_path` function, particularly the `discussion_db_name` parameter. How to fix Directory Traversal? Upgrade `lollms` to version 9.5.1 or higher.	[,9.5.1)
H Improper Control of Generation of Code ('Code Injection') lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') through the `create_conda_env` function. An attacker can execute arbitrary commands by manipulating the `env_name` and `python_version` parameters. How to fix Improper Control of Generation of Code ('Code Injection')? There is no fixed version for `lollms`.	[0,)
M Path Traversal lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Path Traversal in speaker wav and output file paths. This vulnerability can be abused to write audio files compatible with XTTS to arbitrary locations on the system, and also enumerate such file paths on the system. How to fix Path Traversal? There is no fixed version for `lollms`.	[0,)
H Path Traversal lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Path Traversal due to the possibility of performing an unauthenticated root folder settings change. An attacker can read arbitrary files on the system. Note: This vulnerability can be abused to write audio files compatible with XTTS to arbitrary locations on the system, and also enumerate such file paths on the system. How to fix Path Traversal? There is no fixed version for `lollms`.	[0,)
C Command Injection lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Command Injection in the `unInstall_binding` function. An attacker can execute arbitrary code by loading a malicious `__init__.py` file due to insufficient sanitization of the `name` parameter. How to fix Command Injection? Upgrade `lollms` to version 9.5.1 or higher.	[0,9.5.1)

Vulnerability

Vulnerable Version

Missing Critical Step in Authentication

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Missing Critical Step in Authentication due to a missing check_access() call in the install_binding() function. An attacker can add, modify, and remove bindings by accessing the /install_binding and /reinstall_binding endpoints.

How to fix Missing Critical Step in Authentication?

A fix was pushed into the master branch but not yet published.

[0,)

Arbitrary Command Injection

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Arbitrary Command Injection in the calculate() function, which uses the eval() function without sufficient protection. An attacker can execute commands on the server by injecting builtin Python commands in a way which bypasses the __builtins__ block, to load unauthorized modules.

How to fix Arbitrary Command Injection?

Upgrade lollms to version 11.0.0 or higher.

[,11.0.0)

Directory Traversal

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Directory Traversal over the wipe_database endpoint. An attacker can delete any directory on the target filesystem by sending a specially crafted HTTP request that manipulates the key parameter used to construct file paths.

How to fix Directory Traversal?

A fix was pushed into the master branch but not yet published.

[0,)

Relative Path Traversal

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Relative Path Traversal in the sanitize_path() function, which does not account for ./ sequences in pathnames. An attacker can bypass the sanitization to access the contents of personality_folder.

This vulnerability is a bypass to the fix introduced for the vulnerability described in CVE-2024-6985.

How to fix Relative Path Traversal?

A fix was pushed into the master branch but not yet published.

[0,)

Cross-site Scripting (XSS)

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the sanitize_svg function.

How to fix Cross-site Scripting (XSS)?

A fix was pushed into the master branch but not yet published.

[0,)

Directory Traversal

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Directory Traversal through the lollms_file_system.py file. An attacker can manipulate file paths to access or modify files outside of the intended directories by supplying malicious input to the functions add_rag_database, toggle_mount_rag_database, and vectorize_folder.

How to fix Directory Traversal?

Upgrade lollms to version 9.5.1 or higher.

[,9.5.1)

Relative Path Traversal

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Relative Path Traversal due to improper sanitization of the personality_folder parameter. An attacker can read any folder in the personality_folder on the victim's computer by exploiting the ability to traverse directories and access arbitrary files through the open_personality_folder endpoint.

How to fix Relative Path Traversal?

Upgrade lollms to version 9.5.1 or higher.

[,9.5.1)

Directory Traversal

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Directory Traversal through the apply_settings function. An attacker can manipulate the path and potentially write to important system folders by exploiting the inadequate security of the sanitize_path function, particularly the discussion_db_name parameter.

How to fix Directory Traversal?

Upgrade lollms to version 9.5.1 or higher.

[,9.5.1)

Improper Control of Generation of Code ('Code Injection')

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') through the create_conda_env function. An attacker can execute arbitrary commands by manipulating the env_name and python_version parameters.

How to fix Improper Control of Generation of Code ('Code Injection')?

There is no fixed version for lollms.

[0,)

Path Traversal

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Path Traversal in speaker wav and output file paths. This vulnerability can be abused to write audio files compatible with XTTS to arbitrary locations on the system, and also enumerate such file paths on the system.

How to fix Path Traversal?

There is no fixed version for lollms.

[0,)

Path Traversal

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Path Traversal due to the possibility of performing an unauthenticated root folder settings change. An attacker can read arbitrary files on the system.

Note: This vulnerability can be abused to write audio files compatible with XTTS to arbitrary locations on the system, and also enumerate such file paths on the system.

How to fix Path Traversal?

There is no fixed version for lollms.

[0,)

Command Injection

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Command Injection in the unInstall_binding function. An attacker can execute arbitrary code by loading a malicious __init__.py file due to insufficient sanitization of the name parameter.

How to fix Command Injection?

Upgrade lollms to version 9.5.1 or higher.

[0,9.5.1)

lollms@5.9.5 vulnerabilities

A python library for AI personality definition

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?