4072 matches found
World-Writable NLTK Cache Directory Enables Local Users to Tamper with or Delete NLP Data
Description The llamaindex library sets the NLTK data directory to a subdirectory of the codebase by default e.g., static/nltkcache inside the package directory. In multi-user environments or shared hosting, this directory is world-writable or accessible by multiple users. As a result, any user c...
Dependacy chain attack through hijacking broken github repository at https://github.com/huggingface/transformers/blob/main/src/\ntransformers/models/fuyu/\nconvert_fuyu_model_weights_to_hf.py
Description Type: Dependency Chain Attack through hijacking broken github repository Risk: High Allows arbitrary code execution in model conversion workflows Affected Asset: https://github.com/adept-ai-labs/adept-inference Broken URL in Hugging Face Transformers Root Cause The Hugging Face...
LangChain HTMLSectionSplitter – XXE caused by unsafe XSLT parsing
This report is not public...
Path traversal, lead to remote code execution
Description clearml's safeextract is actually NOT secure. It fails to properly handle symbolic links and hard links. When these links point to files outside the TAR archive, it can lead to arbitrary file writes, potentially resulting in remote code execution. Due to a change in th...
Path traversal, lead to remote code execution
Description In zenml's PathMaterializer class, the load function uses ispathwithindirectory to validate files during data.tar.gz extraction. While this prevents path traversal vulnerabilities, it fails to effectively detect symbolic and hard links. with tarfile.openarchivepathlocal, "r:gz" as tar...
Insecure Temporary File Handling Vulnerability in llama-index-core
Description The getcachedir function in llama-index-core uses a predictable, hardcoded directory path /tmp/llamaindex on Linux systems without proper security controls. This vulnerability allows attackers on multi-user systems to steal proprietary models, poison cached embeddings, or conduct...
Incorrect Access Control check results in authorization bypass
Description When setting the access control for users, an incorrect access check allows for the bypass of authorization, due to the incorrect use of .some Proof of Concept 1. This is for a scenario, where I admin have created a custom agent and want everyone on the platform to use it, without bei...
SSRF in MLflow via user-controlled gateway_path parameter
Description A Server-Side Request Forgery SSRF vulnerability exists in the gatewayproxyhandler function of MLflow. This function accepts a user-controlled gatewaypath parameter and concatenates it directly with a targeturi, allowing an attacker to control the full outbound HTTP request path from...
Mass Assignment
Description Mass assignment is a vulnerability that occurs when an application automatically binds user-provided data e.g., from JSON via req.query to internal object properties or database fields without proper filtering. This can allow attackers to manipulate sensitive fields they shouldn’t hav...
Bypass of Mysql Jdbc Attck for CVE-2025-6507
Credits Le1ahttps://github.com/Le1a A1kaidhttps://github.com/for-A1kaid ph0ebushttps://github.com/ph0ebus Description Attackers can exploit this vulnerability to read any system file and even execute arbitrary code through deserialization. The project manager fixed CVE-2025-6507 which I discovere...
Improper Access Control in Socket.IO Event Handlers Allows Unauthenticated Execution of Sensitive Actions
1. Summary Vulnerability: Unauthenticated Access to Sensitive Socket.IO Events Affected Component: lollmsgenerationevents.py in the lollms server Root Cause: Sensitive actions exposed via Socket.IO events lack authentication and authorization checks, and the application relies on insecure global...
Regular Expression Denial of Service (ReDoS) in AdamWeightDecay Optimizer
The AdamWeightDecay optimizer is vulnerable to Regular Expression Denial of Service ReDoS. If an attacker can control the patterns in the includeinweightdecay or excludefromweightdecay lists, they can provide a malicious regular expression that causes catastrophic backtracking. When the optimizer...
Path Traversal in Tokenizer Conversion Script
The script for converting slow tokenizers is vulnerable to a Path Traversal attack via the --checkpointname command-line argument. This allows an attacker to create files outside of the intended dumppath directory. Vulnerable Code Location: The vulnerability is located in the logic for converting...
Brotli decompression bomb DoS
This report is not public...
Regular expression Denial of Service - ReDoS
Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's MarianTokenizer. The vulnerability exists in the removelanguagecode method of the MarianTokenizer class, which processes text to remove language codes. The method...
Brotli decompression bomb DoS
Description urllib3 can not stream brotli-encoded responses properly unlike the way it handles gzip responses. It always loads entire decompressed response body into memory when reading brotli-encoded response, which allows malicious servers to perform DoS attack by responding with decompression...
Full system file read and delete via GET /api/v1/images/download/{bulk_download_item_name}
Description For invokeai version v6.0.0a1 and below, there is an endpoint for bulk downloading zip file. With some manipulation of the filename arguments, attacker can read and also delete any files on the server through this endpoint. P/S: Tested on Windows Proof of Concept Request: GET...
I
Description Improper authorization controls in the conversation sharing feature make it possible to access other user's conversations given a known conversation ID. The exploitability is limited by the fact that UUIDv4 conversation IDs are generated on the server side and are practically impossib...
Regular expression Denial of Service - ReDoS
Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's CLVP number normalizer. The vulnerability exists in the normalizenumbers method of the EnglishNormalizer class, which converts numeric strings to their English wor...
H2O-3 MySQL JDBC Driver Deserialization Vulnerability_Key-Value Bypass Parameter Inspection
Creator: zack H2O-3 Version: 3.46.0.7、3.47.0.6928 MySQL JDBC Driver Version: 8.0.19 JDK Version: 8u112 Description There is a JDBC deserialization vulnerability in the H2O-3 REST API(POST /99/ImportSQLTable) that does not require authentication. This vulnerability can lead to Remote Code Executio...
Mysql Jdbc Attck about CVE-2024-45758 and CVE-2024-10553 Bypass
Summary Attackers can exploit this vulnerability to read any system file and even execute arbitrary code through deserialization Details https://github.com/h2oai/h2o-3/commit/ac1d642b4d86f10a02d75974055baf2a4b2025ac Affected Version: The latest master branch Build project version: 3.47.0.99999...
langchain-community: Sensitive Information Disclosure Due to Insecure XML Parsing in EverNoteLoader
This report is not public...
Denial of Service(DOS) in JSONReader
Description There exists a denial of service vulnerabilityDOS that occurs by python hitting max recursion depth while parsing a deeply nested json file using JSONReader. Vulnerable piece of code...
Environment Variable XSS in Analytics Component
Description A critical stored Cross-Site Scripting XSS vulnerability exists in the Analytics component of lunary-ai/lunary where the NEXTPUBLICCUSTOMSCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows...
IDOR Vulnerability in Template Creation via `projectId` Manipulation
Description An Insecure Direct Object Reference IDOR vulnerability exists in the POST /v1/templates endpoint of the Lunary API. This allows an authenticated user to create templates in another user’s project by modifying the projectId query parameter. This occurs due to a lack of server-side...
Regular expression Denial of Service - ReDoS
Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's weight conversion utility. The vulnerability exists in the converttfweightnametoptweightname function, which converts TensorFlow weight names to PyTorch format. Th...
Divide By Zero lead to DOS
This report is not public...
Python sandbox escape leading to Remote Code Execution (RCE)
Smolagents python sandbox escape leading to Remote Code Execution RCE Summary Smolagents is a barebones library for building agents that “ think in Python code ”—generating and executing Python as part of their reasoning process. Given this design, secure code execution is a critical backbone of...
Regular expression Denial of Service - ReDoS in huggingface/transformers
Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's Donut processor. The vulnerability exists in the token2json method of the DonutProcessor class, which processes document tokens into JSON format. The regex pattern...
MD5 Hash Collision in DocugamiReader Overwrites Structurally Distinct Chunks with Identical Text
Description The DocugamiReader class in llamaindex retrieves structured XML documents from the Docugami API, parses them into semantic chunks, and converts them into Document objects. To assign consistent IDs to each chunk, the following logic is used: hashedid =...
Denial of Service via `Uncontrolled Recursive` JSON Parsing in `JSONReader`
Description The JSONReader in llamaindex is vulnerable to stack overflow when processing deeply nested JSON, leading to a RecursionError. Attackers can exploit this to trigger Denial of Service DoS by submitting malicious JSON, crashing applications before input validation. This impacts...
Hardlink-Based Path Traversal in ObsidianReader
Overview A vulnerability has been identified in the ObsidianReader class from llamaindex.readers.obsidian. This vulnerability allows an attacker to bypass the path restriction mechanism using hardlinks , enabling unauthorized access to sensitive system files such as /etc/passwd. Affected Componen...
Arbitary file read through path traversal
Description: The code in genericutils.py has a path traversal vulnerability, which allows an attacker to control the file path provided to the ImageDocument class. This can lead to the reading of arbitrary files on the server, including sensitive system files, through base64 encoding and decoding...
Unsafe `Deserialization` in `JsonPickleSerializer` Enables Remote Code Execution
Description A critical deserialization vulnerability exists in the llamaindex library’s JsonPickleSerializer component, enabling remote code execution RCE due to an insecure fallback to Python’s pickle module. When deserializing untrusted data, JsonPickleSerializer prioritizes pickle.loads, which...
XSS vulnerability exists in some specific browsers
Description The XSS vulnerability cannot be triggered in Chrome, but it is triggered when using Firefox and the latest version of Firefox. Since Firefox is widely used, when the administrator uses Firefox to view the relevant interface, the XSS vulnerability will be triggered, resulting in the...
SSRF Vulnerability in RequestsToolkit in langchain-community in langchain-ai/langchain
Description Vulnerability Description RequestsToolkit enables AI agents to perform HTTP requests GET, POST, PATCH, PUT, DELETE via LangChain workflows. However, a Server-Side Request Forgery SSRF vulnerability exists in the RequestToolkit component of the langchain-community package specifically,...
Using Mermaid to cause JS memory overflow and service downtime
Description Librechat has many means of limiting the rate, which can be found at https://www.librechat.ai/docs/configuration/librechatyaml/objectstructure/configratelimits. However, it can be found that the Fork Function in /api/convos/fork is not restricted, which allows attackers to fork...
Timing attacks to guess password in lollms_authentication.py
Description The authenticateuser function in /server/endpoints/lollmsauthentication.py is vulnerable to timing attacks that can be exploited to: Enumerate valid usernames. Guess passwords incrementally by analyzing response time differences. Explanation of the vulnerability def...
URL Parsing Issue
Repository: Hugging Face Transformers File: imageutils.py Line: 834 Code Snippet: if video.startswith"https://www.youtube.com" or video.startswith"http://www.youtube.com": Vulnerability Description: The current implementation checks if a video URL starts with "https://www.youtube.com" or...
unsanitised Input in code node
Description We can run sandboxed code node with full permissions, before the the sandbox security restrictions are imposed. Javascript allows overriding global functions, thus by defining the parseInt function inside a javascript code node, we are able to execute code with full root permissions o...
Regular expression Denial of Service - ReDoS
Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's dynamic module utilities. The vulnerability exists in the getimports function in dynamicmoduleutils.py, which uses a vulnerable regular expression pattern to filte...
Regular expression Denial of Service - ReDoS
Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's configuration file resolution mechanism. The vulnerability exists in the getconfigurationfile function, which uses the vulnerable regular expression pattern...
Path Traversal via Symbolic Links in `ObsidianReader`
Description The ObsidianReader class, designed to parse Obsidian vaults, contains a critical security flaw that allows arbitrary file read through symbolic links symlinks. When processing a vault, the reader does not resolve or validate the absolute paths of files, enabling an attacker to place a...
Uncontrolled Memory Consumption in `SimpleDirectoryReader` Due to Post-Limit File Processing
Description Summary: The SimpleDirectoryReader component in llamaindex.core contains a resource management flaw where user-specified file limits numfileslimit are applied after fully enumerating and loading all discovered files into memory. This design causes uncontrolled memory consumption and...
Regular expression Denial of Service - ReDoS
Description The regex defined in the variable SETTINGRE contains repetition groups and non-optimized quantifiers, which can lead to exponential backtracking when receiving "almost matching" payloads. This may degrade the application's performance or even cause a denial-of-service DoS when...
MD5 Hash Collision Causes Overwriting of Papers with the Same Title, Leading to Data Loss
Description The ArxivReader class in LlamaIndex is responsible for searching for papers on ArXiv, downloading them, and processing them for AI model training. The workflow of ArxivReader is as follows: 1. The user searches for a specific topic on ArXiv, retrieving a list of relevant papers. impor...
Privilege escalation from writing file into temporary directory to arbitrary code execution
Description The MLFlow temporary directory gets assigned insecure world-writable permissions 0o777. def getorcreatetmpdir: """ Get or create a temporary directory which will be removed once python process exit. """ from mlflow.utils.databricksutils import getreplid, isindatabricksruntime if...
XML Entity Expansion vulnerability in Sitemap parser
Description There is an XML entity expansion billion laughs vulnerability in the sitemap parser. When accessing a malicious Sitemap XML, this results in a Denial of Service. Vulnerable class: import urllib.request import xml.etree.ElementTree as ET from typing import List from...
SQL injection vulnerabilities in multiple vector stores
Description Multiple vector store integrations have SQL injection vulnerabilities, which can allow an attacker to read and write data using SQL. Example vulnerable code snippet in the Couchbase vector store integration: def deleteself, refdocid: str, kwargs: Any - None: """ Delete a document by i...
Command injection in LLama-Index CLI
Description There is an OS command injection vulnerability in the LLama-Index CLI. Because of pasting the --files argument directly into os.system, an attacker who controls the content of this argument can inject shell commands. The vulnerability was marked as "Local" in the CVSS rating because t...