CVE-2024-4897

UNKNOWN

Published July 2, 2024

parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version...

Full analysis pending. Showing NVD description excerpt.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
lollms_web_ui	—	—	No patch

Do you use lollms_web_ui? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

KEV Status

Not in KEV

Sophistication

N/A

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo' feature, which allows attackers to upload and interact with a malicious model file hosted on hugging-face, leading to remote code execution. The issue is linked to a known vulnerability in llama-cpp-python, CVE-2024-34359, which has not been patched in lollms-webui as of commit b454f40a. The vulnerability is exploitable through the application's handling of model files in the 'bindings_zoo' feature, specifically when processing gguf format model files.

Weaknesses (CWE)

CWE-76

References

huntr.com/bounties/ecf386df-4b6a-40b2-9000-db0974355acc
Exploit Issue Patch 3rd Party
huntr.com/bounties/ecf386df-4b6a-40b2-9000-db0974355acc
Exploit Issue Patch 3rd Party

Timeline

Published

July 2, 2024

Last Modified

July 9, 2025

First Seen

July 2, 2024

Back to Threat Feed