CVE-2024-2356
Local File Inclusion in parisneo/lollms-webui Enables RCE
Publication date: 2026-02-02
Last updated on: 2026-02-02
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parisneo | lollms-webui | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-29 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Local File Inclusion (LFI) issue in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application. It occurs because the 'name' parameter is concatenated directly with a server path and used to load Python files without proper sanitization. This allows an attacker to inject a malicious 'name' parameter, causing the server to load and execute arbitrary Python code from the upload directory. The vulnerability can lead to Remote Code Execution (RCE), enabling attackers to run commands or create reverse-shell connections without user interaction, especially when the application is exposed externally or running in headless mode. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on the server hosting the application. Attackers can execute arbitrary Python code, potentially leading to full system compromise, data theft, unauthorized data manipulation, server crashes, or establishing persistent backdoors such as reverse shells. If the application is exposed to external networks or bound to all interfaces (0.0.0.0), attackers can exploit this without any user interaction, making it highly dangerous. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring access to the '/reinstall_extension' endpoint for suspicious 'name' parameter values that attempt path traversal or unusual file names. Additionally, checking logs for unexpected Python file executions or reverse-shell connections may indicate exploitation attempts. Specific commands are not provided in the resources, but general network monitoring tools (e.g., tcpdump, Wireshark) and log inspection commands (e.g., grep on server logs for '/reinstall_extension' or Python execution traces) can be used. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to sensitive API endpoints such as '/reinstall_extension' to localhost only using the 'forbid_remote_access' function from the 'lollms.security' module, sanitizing all user inputs especially the 'name' parameter to prevent path traversal, avoiding allowing absolute paths in file handling, implementing robust path sanitization with 'sanitize_path', adding exception handling around command execution to prevent crashes, and applying sandboxing and privilege restrictions on code execution engines to prevent remote code execution. These steps significantly reduce the risk of unauthorized access and exploitation. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, given that the vulnerability allows remote code execution and unauthorized access to sensitive endpoints, it could potentially lead to unauthorized data access or manipulation, which may violate data protection requirements under such regulations. Specific compliance implications are not detailed in the provided text. [1]