CVE-2024-6982 — HIGH (CVSS 8.4) AI Security Vulnerability

Q: Is CVE-2024-6982 actively exploited?

No confirmed active exploitation of CVE-2024-6982 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2024-6982?

1. PATCH: Upgrade to lollms >= 9.10 (pip install --upgrade lollms) or >= 11.0.0 per pip advisory. 2. ISOLATE: Restrict lollms to localhost or VPN-only until patched — block public network exposure immediately. 3. DETECT: Monitor for unexpected child process spawning from lollms, unusual outbound connections from the lollms host, and access logs for Calculate endpoint calls containing brackets or module references. 4. AUDIT: Inventory all lollms instances (dev, staging, prod) and verify versions. 5. HARDEN: Run lollms in a container with read-only filesystem and dropped capabilities; restrict OS-level execution from the lollms process user.

CISO Take

Any lollms deployment below version 9.10 (pip < 11.0.0) exposes a server-level RCE via a crafted math expression — no authentication required. Patch to 11.0.0 immediately and isolate lollms from untrusted networks in the interim. If you're running lollms in multi-user or network-exposed configurations, treat this as critical regardless of the CVSS local vector.

Risk Assessment

CVSS 8.4 HIGH with low current exploitation probability (EPSS 0.14%). The CVSS vector designates AV:L, but lollms operates as a web application — any user reaching the web UI can trigger the Calculate endpoint, effectively making this network-exploitable in practice. The sandbox escape technique via _frozen_importlib.BuiltinImporter is documented and requires only moderate Python knowledge, lowering the bar for motivated attackers. Risk is highest for teams sharing a lollms instance or exposing it beyond localhost.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
lollms	pip	< 11.0.0	`11.0.0`
72 Pushed 7d ago 33% patched ~1d to patch Full package profile →

Do you use lollms? You're affected.

Severity & Risk

CVSS 3.1

8.4 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 42% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade to lollms >= 9.10 (pip install --upgrade lollms) or >= 11.0.0 per pip advisory.
ISOLATE

Restrict lollms to localhost or VPN-only until patched — block public network exposure immediately.
DETECT

Monitor for unexpected child process spawning from lollms, unusual outbound connections from the lollms host, and access logs for Calculate endpoint calls containing brackets or module references.
AUDIT

Inventory all lollms instances (dev, staging, prod) and verify versions.
HARDEN

Run lollms in a container with read-only filesystem and dropped capabilities; restrict OS-level execution from the lollms process user.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Framework API AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0097 - Virtualization/Sandbox Evasion AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.3 - AI System Security Controls

NIST AI RMF

GOVERN 1.1 - Policies and Processes for AI Risk Governance MANAGE 2.2 - Mechanisms to Manage AI Risks

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-6982?

Any lollms deployment below version 9.10 (pip < 11.0.0) exposes a server-level RCE via a crafted math expression — no authentication required. Patch to 11.0.0 immediately and isolate lollms from untrusted networks in the interim. If you're running lollms in multi-user or network-exposed configurations, treat this as critical regardless of the CVSS local vector.

Is CVE-2024-6982 actively exploited?

No confirmed active exploitation of CVE-2024-6982 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-6982?

1. PATCH: Upgrade to lollms >= 9.10 (pip install --upgrade lollms) or >= 11.0.0 per pip advisory. 2. ISOLATE: Restrict lollms to localhost or VPN-only until patched — block public network exposure immediately. 3. DETECT: Monitor for unexpected child process spawning from lollms, unusual outbound connections from the lollms host, and access logs for Calculate endpoint calls containing brackets or module references. 4. AUDIT: Inventory all lollms instances (dev, staging, prod) and verify versions. 5. HARDEN: Run lollms in a container with read-only filesystem and dropped capabilities; restrict OS-level execution from the lollms process user.

What systems are affected by CVE-2024-6982?

This vulnerability affects the following AI/ML architecture patterns: local LLM deployments, AI assistant platforms, ML UI frameworks, agent frameworks.

What is the CVSS score for CVE-2024-6982?

CVE-2024-6982 has a CVSS v3.1 base score of 8.4 (HIGH). The EPSS exploitation probability is 0.21%.

Technical Details

NVD Description

A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `os` module using the `_frozen_importlib.BuiltinImporter` class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10.

Exploitation Scenario

An attacker with access to the lollms web interface submits a crafted payload to the Calculate function — e.g., a Python expression leveraging `_frozen_importlib.BuiltinImporter` to load the `os` module despite `__builtins__` being disabled. The payload bypasses the math-only sandbox and executes an arbitrary OS command (e.g., spawning a reverse shell or exfiltrating ~/.env and API key files). Since no authentication is required per the CVSS vector, a threat actor scanning for exposed lollms instances can automate this at scale. The most realistic scenario is a malicious insider or external attacker on the same network exfiltrating the OpenAI/Anthropic API keys configured in the lollms instance.