CRITICAL🇵🇱 Wersja polska

CVE-2024-5181

CVSS 9.8v3.0pub. 2024-06-26upd. 2025-07-15

A command injection vulnerability exists in the mudler/localai version 2.14.0. The vulnerability arises from the application's handling of the backend parameter in the configuration file, which is used in the name of the initialized process. An attacker can exploit this vulnerability by manipulating the path of the vulnerable binary file specified in the backend parameter, allowing the execution of arbitrary code on the system. This issue is due to improper neutralization of special elements used in an OS command, leading to potential full control over the affected system.

🤖 AI Analysis
How it works

The vulnerability results from improper neutralization of special characters in the 'backend' parameter of the application configuration file. This parameter is used to specify the path of the initiated binary process. An attacker can manipulate the path to the referenced binary file by injecting malicious system commands, which are then executed by the operating system without proper validation. As a result, the application unknowingly runs commands provided by the attacker with the privileges of the LocalAI process.

Impact

An attacker can gain full control over the operating system on which LocalAI runs, including arbitrary code execution, data theft, and compromise of system integrity and availability.

Mitigation & patch

Patches available from the vendor should be applied according to references — the fix was published in the GitHub repository under commit 1a3dedece06cab1acc3332055d285ac540a47f0e. Immediate update to a version containing the indicated patch is recommended.

Who is affected

mudler/LocalAI version 2.14.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mudler Localai

    APP
    Mudler
    2.14.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2024-6868CRITICAL9.8PL ✓ten sam produkt

Podatność tarslip w LocalAI umożliwiająca RCE przez arbitralny zapis pliku

CVE-2024-5182CRITICAL9.1PL ✓ten sam produkt

Path traversal w LocalAI umożliwiający usuwanie dowolnych plików

CVE-2024-2029CRITICAL9.8PL ✓ten sam produkt

Command injection w mudler/LocalAI — endpoint transkrypcji audio

CVE-2024-6983HIGH8.8ten sam produkt

mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the loc...

CVE-2024-9900MEDIUM6.1ten sam produkt

mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality...