A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the `@router.post("/install_extension")` route handler. The vulnerability arises due to improper handling of the `name` parameter in the `ExtensionBuilder().build_extension()` method, which allows for local file inclusion (LFI) leading to arbitrary code execution. An attacker can exploit this vulnerability by crafting a malicious `name` parameter that causes the server to load and execute a `__init__.py` file from an arbitrary location, such as the upload directory for discussions. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to remote code execution without requiring user interaction, especially when the application is exposed to an external endpoint or operated in headless mode.
The vulnerability results from improper handling of the `name` parameter in the `ExtensionBuilder().build_extension()` method called by the `@router.post("/install_extension")` route handler. An attacker sends a crafted `name` parameter that causes the server to load and execute the `__init__.py` file from any location in the filesystem — for example from the discussion upload directory. This is a Local File Inclusion (LFI) case leading directly to arbitrary code execution.
An attacker can remotely execute arbitrary code on the server without authentication, leading to complete system compromise, including violation of confidentiality, integrity and availability of data.
Apply patches available from the vendor according to references. As a temporary measure, it is recommended to restrict access to the '/install_extension' endpoint only to trusted networks or users and avoid exposing the application on external network interfaces.
Latest version of parisneo/lollms-webui application — particularly installations accessible from an external network endpoint or running in headless mode
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLollms Web Ui
APPLollmswszystkie wersje
Related vulnerabilities
SSRF i brak uwierzytelnienia w lollms-webui — dostęp do wewnętrznych zasobów
Path traversal w API install/uninstall lollms-webui V12 (Strawberry)
Path Traversal w lollms-webui umożliwia usunięcie dowolnego pliku
Path Traversal i DoS w endpoint /select_database aplikacji lollms-webui
Command Injection w lollms-webui — obejście zabezpieczeń i RCE