HIGH 8.4

GHSA-jccx-m9v4-9hwh

LoLLMS Code Injection vulnerability

Details

A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `os` module using the `_frozen_importlib.BuiltinImporter` class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / lollms

Introduced in: 0 Fixed in: 11.0.0

Fix pip install --upgrade 'lollms>=11.0.0'

References

https://nvd.nist.gov/vuln/detail/CVE-2024-6982 [ADVISORY]
https://github.com/parisneo/lollms/commit/30e7eaba2ccfb751a81e7cb29fdef2ae8ffa6832 [WEB]
https://github.com/ParisNeo/lollms [PACKAGE]
https://huntr.com/bounties/4f8e73ac-aaaf-4d5c-a6dd-58215b5a7fea [WEB]