lollms 9.5.1 vulnerabilities

Known vulnerabilities in the lollms package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Missing Critical Step in Authentication lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Missing Critical Step in Authentication due to a missing `check_access()` call in the `install_binding()` function. An attacker can add, modify, and remove bindings by accessing the `/install_binding` and `/reinstall_binding` endpoints. How to fix Missing Critical Step in Authentication? A fix was pushed into the `master` branch but not yet published.	[0,)
C Arbitrary Command Injection lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Arbitrary Command Injection in the `calculate()` function, which uses the `eval()` function without sufficient protection. An attacker can execute commands on the server by injecting builtin Python commands in a way which bypasses the `__builtins__` block, to load unauthorized modules. How to fix Arbitrary Command Injection? Upgrade `lollms` to version 11.0.0 or higher.	[,11.0.0)
M Directory Traversal lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Directory Traversal over the `wipe_database` endpoint. An attacker can delete any directory on the target filesystem by sending a specially crafted HTTP request that manipulates the `key` parameter used to construct file paths. How to fix Directory Traversal? A fix was pushed into the `master` branch but not yet published.	[0,)
M Relative Path Traversal lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Relative Path Traversal in the `sanitize_path()` function, which does not account for `./` sequences in pathnames. An attacker can bypass the sanitization to access the contents of `personality_folder`. This vulnerability is a bypass to the fix introduced for the vulnerability described in CVE-2024-6985. How to fix Relative Path Traversal? A fix was pushed into the `master` branch but not yet published.	[0,)
M Cross-site Scripting (XSS) lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `sanitize_svg` function. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	[0,)
H Improper Control of Generation of Code ('Code Injection') lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') through the `create_conda_env` function. An attacker can execute arbitrary commands by manipulating the `env_name` and `python_version` parameters. How to fix Improper Control of Generation of Code ('Code Injection')? There is no fixed version for `lollms`.	[0,)
M Path Traversal lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Path Traversal in speaker wav and output file paths. This vulnerability can be abused to write audio files compatible with XTTS to arbitrary locations on the system, and also enumerate such file paths on the system. How to fix Path Traversal? There is no fixed version for `lollms`.	[0,)
H Path Traversal lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Path Traversal due to the possibility of performing an unauthenticated root folder settings change. An attacker can read arbitrary files on the system. Note: This vulnerability can be abused to write audio files compatible with XTTS to arbitrary locations on the system, and also enumerate such file paths on the system. How to fix Path Traversal? There is no fixed version for `lollms`.	[0,)

Vulnerability

Vulnerable Version

Missing Critical Step in Authentication

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Missing Critical Step in Authentication due to a missing check_access() call in the install_binding() function. An attacker can add, modify, and remove bindings by accessing the /install_binding and /reinstall_binding endpoints.

How to fix Missing Critical Step in Authentication?

A fix was pushed into the master branch but not yet published.

[0,)

Arbitrary Command Injection

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Arbitrary Command Injection in the calculate() function, which uses the eval() function without sufficient protection. An attacker can execute commands on the server by injecting builtin Python commands in a way which bypasses the __builtins__ block, to load unauthorized modules.

How to fix Arbitrary Command Injection?

Upgrade lollms to version 11.0.0 or higher.

[,11.0.0)

Directory Traversal

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Directory Traversal over the wipe_database endpoint. An attacker can delete any directory on the target filesystem by sending a specially crafted HTTP request that manipulates the key parameter used to construct file paths.

How to fix Directory Traversal?

A fix was pushed into the master branch but not yet published.

[0,)

Relative Path Traversal

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Relative Path Traversal in the sanitize_path() function, which does not account for ./ sequences in pathnames. An attacker can bypass the sanitization to access the contents of personality_folder.

This vulnerability is a bypass to the fix introduced for the vulnerability described in CVE-2024-6985.

How to fix Relative Path Traversal?

A fix was pushed into the master branch but not yet published.

[0,)

Cross-site Scripting (XSS)

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the sanitize_svg function.

How to fix Cross-site Scripting (XSS)?

A fix was pushed into the master branch but not yet published.

[0,)

Improper Control of Generation of Code ('Code Injection')

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') through the create_conda_env function. An attacker can execute arbitrary commands by manipulating the env_name and python_version parameters.

How to fix Improper Control of Generation of Code ('Code Injection')?

There is no fixed version for lollms.

[0,)

Path Traversal

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Path Traversal in speaker wav and output file paths. This vulnerability can be abused to write audio files compatible with XTTS to arbitrary locations on the system, and also enumerate such file paths on the system.

How to fix Path Traversal?

There is no fixed version for lollms.

[0,)

Path Traversal

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Path Traversal due to the possibility of performing an unauthenticated root folder settings change. An attacker can read arbitrary files on the system.

Note: This vulnerability can be abused to write audio files compatible with XTTS to arbitrary locations on the system, and also enumerate such file paths on the system.

How to fix Path Traversal?

There is no fixed version for lollms.

[0,)

lollms@9.5.1 vulnerabilities

A python library for AI personality definition

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?