CVE-2024-2356
Unknown Unknown - Not Provided
Local File Inclusion in parisneo/lollms-webui Enables RCE

Publication date: 2026-02-02

Last updated on: 2026-02-02

Assigner: huntr.dev

Description
A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the `name` parameter of the `@router.post("/reinstall_extension")` route. This vulnerability allows attackers to inject a malicious `name` parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. This issue arises due to the concatenation of `data.name` directly with `lollmsElfServer.lollms_paths.extensions_zoo_path` and its use as an argument for `ExtensionBuilder().build_extension()`. The server's handling of the `__init__.py` file in arbitrary locations, facilitated by `importlib.machinery.SourceFileLoader`, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to `0.0.0.0` or in `headless mode`. No user interaction is required for exploitation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-02-02
EPSS Evaluated
2026-06-14
NVD
CVE-2024-2356
EUVD
EUVD-2024-27309
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
parisneo lollms-webui *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-29 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Local File Inclusion (LFI) issue in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application. It occurs because the 'name' parameter is concatenated directly with a server path and used to load Python files without proper sanitization. This allows an attacker to inject a malicious 'name' parameter, causing the server to load and execute arbitrary Python code from the upload directory. The vulnerability can lead to Remote Code Execution (RCE), enabling attackers to run commands or create reverse-shell connections without user interaction, especially when the application is exposed externally or running in headless mode. [1]

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on the server hosting the application. Attackers can execute arbitrary Python code, potentially leading to full system compromise, data theft, unauthorized data manipulation, server crashes, or establishing persistent backdoors such as reverse shells. If the application is exposed to external networks or bound to all interfaces (0.0.0.0), attackers can exploit this without any user interaction, making it highly dangerous. [1]

Detection Guidance

Detection can involve monitoring access to the '/reinstall_extension' endpoint for suspicious 'name' parameter values that attempt path traversal or unusual file names. Additionally, checking logs for unexpected Python file executions or reverse-shell connections may indicate exploitation attempts. Specific commands are not provided in the resources, but general network monitoring tools (e.g., tcpdump, Wireshark) and log inspection commands (e.g., grep on server logs for '/reinstall_extension' or Python execution traces) can be used. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to sensitive API endpoints such as '/reinstall_extension' to localhost only using the 'forbid_remote_access' function from the 'lollms.security' module, sanitizing all user inputs especially the 'name' parameter to prevent path traversal, avoiding allowing absolute paths in file handling, implementing robust path sanitization with 'sanitize_path', adding exception handling around command execution to prevent crashes, and applying sandboxing and privilege restrictions on code execution engines to prevent remote code execution. These steps significantly reduce the risk of unauthorized access and exploitation. [1]

Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, given that the vulnerability allows remote code execution and unauthorized access to sensitive endpoints, it could potentially lead to unauthorized data access or manipulation, which may violate data protection requirements under such regulations. Specific compliance implications are not detailed in the provided text. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-2356. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart