CVE-2024-6982: LoLLMs RCE via eval() sandbox bypass

Q: Is CVE-2024-6982 actively exploited?

No confirmed active exploitation of CVE-2024-6982 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2024-6982?

1. PATCH: Upgrade to lollms >= 9.10 (pip install --upgrade lollms) or >= 11.0.0 per pip advisory. 2. ISOLATE: Restrict lollms to localhost or VPN-only until patched — block public network exposure immediately. 3. DETECT: Monitor for unexpected child process spawning from lollms, unusual outbound connections from the lollms host, and access logs for Calculate endpoint calls containing brackets or module references. 4. AUDIT: Inventory all lollms instances (dev, staging, prod) and verify versions. 5. HARDEN: Run lollms in a container with read-only filesystem and dropped capabilities; restrict OS-level execution from the lollms process user.

CISO Take

Any lollms deployment below version 9.10 (pip < 11.0.0) exposes a server-level RCE via a crafted math expression — no authentication required. Patch to 11.0.0 immediately and isolate lollms from untrusted networks in the interim. If you're running lollms in multi-user or network-exposed configurations, treat this as critical regardless of the CVSS local vector.

What is the risk?

CVSS 8.4 HIGH with low current exploitation probability (EPSS 0.14%). The CVSS vector designates AV:L, but lollms operates as a web application — any user reaching the web UI can trigger the Calculate endpoint, effectively making this network-exploitable in practice. The sandbox escape technique via _frozen_importlib.BuiltinImporter is documented and requires only moderate Python knowledge, lowering the bar for motivated attackers. Risk is highest for teams sharing a lollms instance or exposing it beyond localhost.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LoLLMs	pip	< 11.0.0	`11.0.0`
81 Pushed 8d ago 33% patched ~1d to patch Full package profile →

Do you use LoLLMs? You're affected.

How severe is it?

CVSS 3.1

8.4 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 35% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade to lollms >= 9.10 (pip install --upgrade lollms) or >= 11.0.0 per pip advisory.
ISOLATE

Restrict lollms to localhost or VPN-only until patched — block public network exposure immediately.
DETECT

Monitor for unexpected child process spawning from lollms, unusual outbound connections from the lollms host, and access logs for Calculate endpoint calls containing brackets or module references.
AUDIT

Inventory all lollms instances (dev, staging, prod) and verify versions.
HARDEN

Run lollms in a container with read-only filesystem and dropped capabilities; restrict OS-level execution from the lollms process user.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Framework API AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0097 - Virtualization/Sandbox Evasion AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.3 - AI System Security Controls

NIST AI RMF

GOVERN 1.1 - Policies and Processes for AI Risk Governance MANAGE 2.2 - Mechanisms to Manage AI Risks

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-6982?

Any lollms deployment below version 9.10 (pip < 11.0.0) exposes a server-level RCE via a crafted math expression — no authentication required. Patch to 11.0.0 immediately and isolate lollms from untrusted networks in the interim. If you're running lollms in multi-user or network-exposed configurations, treat this as critical regardless of the CVSS local vector.

Is CVE-2024-6982 actively exploited?

No confirmed active exploitation of CVE-2024-6982 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-6982?

1. PATCH: Upgrade to lollms >= 9.10 (pip install --upgrade lollms) or >= 11.0.0 per pip advisory. 2. ISOLATE: Restrict lollms to localhost or VPN-only until patched — block public network exposure immediately. 3. DETECT: Monitor for unexpected child process spawning from lollms, unusual outbound connections from the lollms host, and access logs for Calculate endpoint calls containing brackets or module references. 4. AUDIT: Inventory all lollms instances (dev, staging, prod) and verify versions. 5. HARDEN: Run lollms in a container with read-only filesystem and dropped capabilities; restrict OS-level execution from the lollms process user.

What systems are affected by CVE-2024-6982?

This vulnerability affects the following AI/ML architecture patterns: local LLM deployments, AI assistant platforms, ML UI frameworks, agent frameworks.

What is the CVSS score for CVE-2024-6982?

CVE-2024-6982 has a CVSS v3.1 base score of 8.4 (HIGH). The EPSS exploitation probability is 0.43%.

What is the AI security impact?

Affected AI Architectures

local LLM deploymentsAI assistant platformsML UI frameworksagent frameworks

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0097 Virtualization/Sandbox Evasion

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.3

NIST AI RMF: GOVERN 1.1, MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `os` module using the `_frozen_importlib.BuiltinImporter` class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10.

Exploitation Scenario

An attacker with access to the lollms web interface submits a crafted payload to the Calculate function — e.g., a Python expression leveraging `_frozen_importlib.BuiltinImporter` to load the `os` module despite `__builtins__` being disabled. The payload bypasses the math-only sandbox and executes an arbitrary OS command (e.g., spawning a reverse shell or exfiltrating ~/.env and API key files). Since no authentication is required per the CVSS vector, a threat actor scanning for exposed lollms instances can automate this at scale. The most realistic scenario is a malicious insider or external attacker on the same network exfiltrating the OpenAI/Anthropic API keys configured in the lollms instance.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.