HIGH 7.3

GHSA-w9qf-83jg-2x6c

lollms vulnerable to dot-dot-slash path traversal in XTTS server

Details

A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker to write audio files to arbitrary locations on the system and enumerate file paths. The issue arises from improper validation of user-provided file paths in the `tts_to_file` endpoint.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / lollms

Introduced in: 0

No fixed version published yet for lollms (pip). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-6139 [ADVISORY]
https://github.com/ParisNeo/lollms [PACKAGE]
https://huntr.com/bounties/fd00f112-efd0-40a1-8227-d6733716e4c0 [WEB]