AI Threat Alert AI Threat Alert

CVE-2024-6985: lollms: path traversal allows arbitrary directory read

GHSA-6h64-g7cj-hj56 MEDIUM PoC AVAILABLE CISA: TRACK*
Published October 11, 2024
CISO Take

If your team runs LoLLMs (a local LLM WebUI) version 9.5.1 or earlier, a privileged local user can bypass path sanitization to read any directory on the host via the personality API. Exploitation requires High privileges and local access, limiting real-world blast radius — but in shared or multi-user deployments, this becomes a meaningful lateral movement primitive. Patch to a version beyond 9.5.1 or restrict API access to trusted users only.

Risk Assessment

CVSS 4.4 Medium, but context matters. The Local attack vector (AV:L) and High privileges requirement (PR:H) significantly constrain exploitability — this is not remotely exploitable without prior access. EPSS of 0.00053 confirms near-zero current exploitation activity. However, the Confidentiality impact is HIGH, meaning a successful exploit gives full read access to any directory on the host. In shared environments or developer workstations where LoLLMs is exposed over a local network, the effective risk escalates. Not in CISA KEV.

Affected Systems

Package Ecosystem Vulnerable Range Patched
lollms pip <= 9.5.1 No patch
72 Pushed 7d ago 33% patched ~1d to patch Full package profile →

Do you use lollms? You're affected.

Severity & Risk

CVSS 3.1
4.4 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 17% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR High
UI None
S Unchanged
C High
I None
A None

Recommended Action

6 steps

  1. Patch immediately

    Update lollms to any version beyond 9.5.1. The fix is committed at github.com/parisneo/lollms/commit/28ee567.

  2. Verify patch status

    Run pip show lollms and confirm version > 9.5.1.

  3. Restrict API access

    If running LoLLMs as a service, bind it to localhost only (127.0.0.1) rather than 0.0.0.0. Use firewall rules or reverse proxy ACLs to block unauthenticated access to the API.

  4. Audit exposure

    Check if LoLLMs is exposed on any network-accessible interface in your environment.

  5. Detection

    Monitor for API requests to /api/open_personality_folder containing ../ or URL-encoded traversal sequences (%2e%2e, %2f) in logs.

  6. Workaround (if patching is delayed): Restrict the LoLLMs process user account permissions to the minimum required directories using OS-level controls (chroot, AppArmor, systemd sandboxing).

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework Agent AML.T0007 AML.T0025 AML.T0037 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.3 - Security of AI system
NIST AI RMF
MANAGE 2.4 - Residual risks are managed
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-6985?

If your team runs LoLLMs (a local LLM WebUI) version 9.5.1 or earlier, a privileged local user can bypass path sanitization to read any directory on the host via the personality API. Exploitation requires High privileges and local access, limiting real-world blast radius — but in shared or multi-user deployments, this becomes a meaningful lateral movement primitive. Patch to a version beyond 9.5.1 or restrict API access to trusted users only.

Is CVE-2024-6985 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-6985, increasing the risk of exploitation.

How to fix CVE-2024-6985?

1. **Patch immediately**: Update lollms to any version beyond 9.5.1. The fix is committed at github.com/parisneo/lollms/commit/28ee567. 2. **Verify patch status**: Run `pip show lollms` and confirm version > 9.5.1. 3. **Restrict API access**: If running LoLLMs as a service, bind it to localhost only (127.0.0.1) rather than 0.0.0.0. Use firewall rules or reverse proxy ACLs to block unauthenticated access to the API. 4. **Audit exposure**: Check if LoLLMs is exposed on any network-accessible interface in your environment. 5. **Detection**: Monitor for API requests to `/api/open_personality_folder` containing `../` or URL-encoded traversal sequences (`%2e%2e`, `%2f`) in logs. 6. **Workaround** (if patching is delayed): Restrict the LoLLMs process user account permissions to the minimum required directories using OS-level controls (chroot, AppArmor, systemd sandboxing).

What systems are affected by CVE-2024-6985?

This vulnerability affects the following AI/ML architecture patterns: local LLM deployments, agent frameworks, model serving.

What is the CVSS score for CVE-2024-6985?

CVE-2024-6985 has a CVSS v3.1 base score of 4.4 (MEDIUM). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files.

Exploitation Scenario

An adversary with privileged access to a shared development server running LoLLMs (common in ML teams with shared GPU workstations) sends a crafted GET request to the personality API endpoint with a traversal payload in the `personality_folder` parameter — e.g., `../../../../home/mldev/.ssh/`. Despite the `sanitize_path` call, the incomplete sanitization allows the traversal to succeed, returning a directory listing. The attacker iterates through known paths to harvest model API keys stored in config files, extract training data metadata, or pivot to SSH credentials for lateral movement. Because LoLLMs is often run with developer-level privileges for GPU access, the exposed paths can include sensitive model IP and infrastructure credentials.

Weaknesses (CWE)

CWE-23 Relative Path Traversal Primary

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
October 11, 2024
Last Modified
October 11, 2024
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2026-1115 9.6

lollms: Stored XSS enables wormable account takeover

Same package: lollms
HIGH CVE-2024-6982 8.4

lollms: RCE via eval() sandbox bypass in Calculate

Same package: lollms
HIGH CVE-2026-1117 8.2

lollms: Access Control bypass enables privilege escalation

Same package: lollms
HIGH CVE-2025-6386 7.5

lollms: timing attack enables credential enumeration

Same package: lollms
MEDIUM CVE-2024-6581 6.5

Lollms: SVG upload XSS enables session hijack and RCE

Same package: lollms
Back to Threat Feed