Brotli decompression bomb DoS

Description urllib3 can not stream brotli-encoded responses properly unlike the way it handles gzip responses. It always loads entire decompressed response body into memory when reading brotli-encoded response, which allows malicious servers to perform DoS attack by responding with decompression...

Full system file read and delete via GET /api/v1/images/download/{bulk_download_item_name}

Description For invokeai version v6.0.0a1 and below, there is an endpoint for bulk downloading zip file. With some manipulation of the filename arguments, attacker can read and also delete any files on the server through this endpoint. P/S: Tested on Windows Proof of Concept Request: GET...

I

Description Improper authorization controls in the conversation sharing feature make it possible to access other user's conversations given a known conversation ID. The exploitability is limited by the fact that UUIDv4 conversation IDs are generated on the server side and are practically impossib...

Regular expression Denial of Service - ReDoS

Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's CLVP number normalizer. The vulnerability exists in the normalizenumbers method of the EnglishNormalizer class, which converts numeric strings to their English wor...

H2O-3 MySQL JDBC Driver Deserialization Vulnerability_Key-Value Bypass Parameter Inspection

Creator： zack H2O-3 Version： 3.46.0.7、3.47.0.6928 MySQL JDBC Driver Version： 8.0.19 JDK Version： 8u112 Description There is a JDBC deserialization vulnerability in the H2O-3 REST API（POST /99/ImportSQLTable） that does not require authentication. This vulnerability can lead to Remote Code Executio...

Mysql Jdbc Attck about CVE-2024-45758 and CVE-2024-10553 Bypass

Summary Attackers can exploit this vulnerability to read any system file and even execute arbitrary code through deserialization Details https://github.com/h2oai/h2o-3/commit/ac1d642b4d86f10a02d75974055baf2a4b2025ac Affected Version: The latest master branch Build project version: 3.47.0.99999...

langchain-community: Sensitive Information Disclosure Due to Insecure XML Parsing in EverNoteLoader

This report is not public...

Denial of Service(DOS) in JSONReader

Description There exists a denial of service vulnerabilityDOS that occurs by python hitting max recursion depth while parsing a deeply nested json file using JSONReader. Vulnerable piece of code...

Environment Variable XSS in Analytics Component

Description A critical stored Cross-Site Scripting XSS vulnerability exists in the Analytics component of lunary-ai/lunary where the NEXTPUBLICCUSTOMSCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows...

IDOR Vulnerability in Template Creation via `projectId` Manipulation

Description An Insecure Direct Object Reference IDOR vulnerability exists in the POST /v1/templates endpoint of the Lunary API. This allows an authenticated user to create templates in another user’s project by modifying the projectId query parameter. This occurs due to a lack of server-side...

Regular expression Denial of Service - ReDoS

Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's weight conversion utility. The vulnerability exists in the converttfweightnametoptweightname function, which converts TensorFlow weight names to PyTorch format. Th...

Divide By Zero lead to DOS

This report is not public...

Python sandbox escape leading to Remote Code Execution (RCE)

Smolagents python sandbox escape leading to Remote Code Execution RCE Summary Smolagents is a barebones library for building agents that “ think in Python code ”—generating and executing Python as part of their reasoning process. Given this design, secure code execution is a critical backbone of...

Regular expression Denial of Service - ReDoS in huggingface/transformers

Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's Donut processor. The vulnerability exists in the token2json method of the DonutProcessor class, which processes document tokens into JSON format. The regex pattern...

MD5 Hash Collision in DocugamiReader Overwrites Structurally Distinct Chunks with Identical Text

Description The DocugamiReader class in llamaindex retrieves structured XML documents from the Docugami API, parses them into semantic chunks, and converts them into Document objects. To assign consistent IDs to each chunk, the following logic is used: hashedid =...

Denial of Service via `Uncontrolled Recursive` JSON Parsing in `JSONReader`

Description The JSONReader in llamaindex is vulnerable to stack overflow when processing deeply nested JSON, leading to a RecursionError. Attackers can exploit this to trigger Denial of Service DoS by submitting malicious JSON, crashing applications before input validation. This impacts...

Hardlink-Based Path Traversal in ObsidianReader

Overview A vulnerability has been identified in the ObsidianReader class from llamaindex.readers.obsidian. This vulnerability allows an attacker to bypass the path restriction mechanism using hardlinks , enabling unauthorized access to sensitive system files such as /etc/passwd. Affected Componen...

Arbitary file read through path traversal

Description: The code in genericutils.py has a path traversal vulnerability, which allows an attacker to control the file path provided to the ImageDocument class. This can lead to the reading of arbitrary files on the server, including sensitive system files, through base64 encoding and decoding...

Unsafe `Deserialization` in `JsonPickleSerializer` Enables Remote Code Execution

Description A critical deserialization vulnerability exists in the llamaindex library’s JsonPickleSerializer component, enabling remote code execution RCE due to an insecure fallback to Python’s pickle module. When deserializing untrusted data, JsonPickleSerializer prioritizes pickle.loads, which...

XSS vulnerability exists in some specific browsers

Description The XSS vulnerability cannot be triggered in Chrome, but it is triggered when using Firefox and the latest version of Firefox. Since Firefox is widely used, when the administrator uses Firefox to view the relevant interface, the XSS vulnerability will be triggered, resulting in the...

SSRF Vulnerability in RequestsToolkit in langchain-community in langchain-ai/langchain

Description Vulnerability Description RequestsToolkit enables AI agents to perform HTTP requests GET, POST, PATCH, PUT, DELETE via LangChain workflows. However, a Server-Side Request Forgery SSRF vulnerability exists in the RequestToolkit component of the langchain-community package specifically,...

Using Mermaid to cause JS memory overflow and service downtime

Description Librechat has many means of limiting the rate, which can be found at https://www.librechat.ai/docs/configuration/librechatyaml/objectstructure/configratelimits. However, it can be found that the Fork Function in /api/convos/fork is not restricted, which allows attackers to fork...

Timing attacks to guess password in lollms_authentication.py

Description The authenticateuser function in /server/endpoints/lollmsauthentication.py is vulnerable to timing attacks that can be exploited to: Enumerate valid usernames. Guess passwords incrementally by analyzing response time differences. Explanation of the vulnerability def...

URL Parsing Issue

Repository: Hugging Face Transformers File: imageutils.py Line: 834 Code Snippet: if video.startswith"https://www.youtube.com" or video.startswith"http://www.youtube.com": Vulnerability Description: The current implementation checks if a video URL starts with "https://www.youtube.com" or...

unsanitised Input in code node

Description We can run sandboxed code node with full permissions, before the the sandbox security restrictions are imposed. Javascript allows overriding global functions, thus by defining the parseInt function inside a javascript code node, we are able to execute code with full root permissions o...

Regular expression Denial of Service - ReDoS

Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's dynamic module utilities. The vulnerability exists in the getimports function in dynamicmoduleutils.py, which uses a vulnerable regular expression pattern to filte...

Regular expression Denial of Service - ReDoS

Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's configuration file resolution mechanism. The vulnerability exists in the getconfigurationfile function, which uses the vulnerable regular expression pattern...

Path Traversal via Symbolic Links in `ObsidianReader`

Description The ObsidianReader class, designed to parse Obsidian vaults, contains a critical security flaw that allows arbitrary file read through symbolic links symlinks. When processing a vault, the reader does not resolve or validate the absolute paths of files, enabling an attacker to place a...

Uncontrolled Memory Consumption in `SimpleDirectoryReader` Due to Post-Limit File Processing

Description Summary: The SimpleDirectoryReader component in llamaindex.core contains a resource management flaw where user-specified file limits numfileslimit are applied after fully enumerating and loading all discovered files into memory. This design causes uncontrolled memory consumption and...

Regular expression Denial of Service - ReDoS

Description The regex defined in the variable SETTINGRE contains repetition groups and non-optimized quantifiers, which can lead to exponential backtracking when receiving "almost matching" payloads. This may degrade the application's performance or even cause a denial-of-service DoS when...

MD5 Hash Collision Causes Overwriting of Papers with the Same Title, Leading to Data Loss

Description The ArxivReader class in LlamaIndex is responsible for searching for papers on ArXiv, downloading them, and processing them for AI model training. The workflow of ArxivReader is as follows: 1. The user searches for a specific topic on ArXiv, retrieving a list of relevant papers. impor...

Privilege escalation from writing file into temporary directory to arbitrary code execution

Description The MLFlow temporary directory gets assigned insecure world-writable permissions 0o777. def getorcreatetmpdir: """ Get or create a temporary directory which will be removed once python process exit. """ from mlflow.utils.databricksutils import getreplid, isindatabricksruntime if...

XML Entity Expansion vulnerability in Sitemap parser

Description There is an XML entity expansion billion laughs vulnerability in the sitemap parser. When accessing a malicious Sitemap XML, this results in a Denial of Service. Vulnerable class: import urllib.request import xml.etree.ElementTree as ET from typing import List from...

SQL injection vulnerabilities in multiple vector stores

Description Multiple vector store integrations have SQL injection vulnerabilities, which can allow an attacker to read and write data using SQL. Example vulnerable code snippet in the Couchbase vector store integration: def deleteself, refdocid: str, kwargs: Any - None: """ Delete a document by i...

Command injection in LLama-Index CLI

Description There is an OS command injection vulnerability in the LLama-Index CLI. Because of pasting the --files argument directly into os.system, an attacker who controls the content of this argument can inject shell commands. The vulnerability was marked as "Local" in the CVSS rating because t...

SQL Injection in DuckDBVectorStore via delete can lead to RCE

Description The delete function in DuckDBVectorStore easily attacks SQL when the attack controls the refdocid parameter.This can help attackers read and write arbitrary files on the server and lead to rce. ddbquery = f""" DELETE FROM self.tablename WHERE jsonextractstringmetadata, '$.refdocid' =...

Unauthenticated Stored XSS via dangerouslySetInnerHTML

An UNAUTHENTICATED attacker can achieve stored cross-site scripting XSS by injecting malicious JavaScript the v1/runs/ingest if he adds an empty citations field to trigger a code path where dangerouslySetInnerHTML is used to render the attacker controlled text. This vulnerability allows the...

A malicious manifests can lead to DoS due to unchecked array bound access via network in ollama/ollama

This report is not public...

Regular expression Denial of Service - ReDoS

Description The preprocessstring function in the transformers.testingutils module uses a regular expression to process code blocks in docstrings. This regular expression has the following structure: codeblockpattern = r"?:python|py\s\n\s ?:.?\n?.?" The segment ?:.?\n?.? contains nested quantifier...

A DoS attack occurred in run-llama/llama_index due to inappropriate secure coding measures

Description A DoS vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llamaindex project, and this issue has been reported see the link below: Huntr Report : https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8 However, due to the developer's...

Bucket "h2o-release" publicly writable, allowing an attacker to replace any file

The S3 bucket "h2o-release" where you host docs and which you instruct your users to use as a Maven repo e.g. in here https://github.com/h2oai/h2o-3?tab=readme-ov-file3-using-h2o-3-artifacts is publicly writable. It is possible to overwrite any file in that bucket. As a PoC I created the followin...

Regular expression Denial of Service - ReDoS

Description A Regular Expression Denial of Service ReDoS vulnerability was identified in the Transformers library, specifically in the file tokenizationgptneoxjapanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions...

Bug Bounty Report: Command Injection Vulnerability in subprocess Call

This report is not public...

Denial of Service(DOS) in LangChainLLM due to missing exception handler.

Summary The streamcomplete method of the LangChainLLM class executes the llm using a thread and retrieves the result of the llm via the getresponsegen method of the StreamingGeneratorCallbackHandler class. During this process, getresponsegen recursively detects the onllmerror and onllmend events...

SQL Injection to RCE on FinanceChatLlamaPack

Summary The Finance Chat Llama Pack implements a hierarchical agent based on LLM for financial chat and information extraction. It includes an agent called 'database agent' for interacting with a PostgreSQL database. However, due to the lack of protections in the runsqlquery function on the...

SSRF check bypass in Requests utility

Description The autogpt application relies on a wrapper around the requests library in order to avoid SSRF attacks performing a check on the provided URL. Such check is performed using the urlparse function from urllib.parse library, and the request is later performed using the requests library...

Changing the "ID" parameter in the user cookie allows loading the profile picture of other users

Description A vulnerability has been discovered in AnythingLLM Docker that allows users, even with "Default" permission, to obtain other users' profile pictures. Proof of Concept 1 Create a new user with the default role; 2 Log in to the user account you created; 3 Open the browser inspector and...

Regular expression Denial of Service - ReDoS

Description A Regular Expression Denial of Service ReDoS vulnerability identified in the Transformers library, specifically in the file tokenizationnougatfast.py. The vulnerability occurs in the postprocesssingle function, where a regular expression processes specially crafted input. The issue...

AutoGPT SSTI Vulnerability Leading to Remote Code Execution (RCE)

Summary AutoGPT, an open-source AI tool that automates task execution, is vulnerable to a Server-Side Template Injection SSTI that could lead to arbitrary command execution. The vulnerability arises from the improper handling of user-supplied format strings in the AgentOutputBlock implementation,...

Remote Code Execution via Unsafe Torch Load in TransfoXLCorpus

Description This is a new bypass to the patch of my previous report, in which the maintainers only apply the "TRUSTREMOTECODE" to guard the vulnerable code of vocabdict = pickle.loadf, but overlooked another vulnerable code of corpusdict = torch.loadresolvedcorpusfile without setting...