4072 matches found
SQL Injection in DuckDBVectorStore via delete can lead to RCE
Description The delete function in DuckDBVectorStore easily attacks SQL when the attack controls the refdocid parameter.This can help attackers read and write arbitrary files on the server and lead to rce. ddbquery = f""" DELETE FROM self.tablename WHERE jsonextractstringmetadata, '$.refdocid' =...
Unauthenticated Stored XSS via dangerouslySetInnerHTML
An UNAUTHENTICATED attacker can achieve stored cross-site scripting XSS by injecting malicious JavaScript the v1/runs/ingest if he adds an empty citations field to trigger a code path where dangerouslySetInnerHTML is used to render the attacker controlled text. This vulnerability allows the...
A malicious manifests can lead to DoS due to unchecked array bound access via network in ollama/ollama
This report is not public...
Regular expression Denial of Service - ReDoS
Description The preprocessstring function in the transformers.testingutils module uses a regular expression to process code blocks in docstrings. This regular expression has the following structure: codeblockpattern = r"?:python|py\s\n\s ?:.?\n?.?" The segment ?:.?\n?.? contains nested quantifier...
A DoS attack occurred in run-llama/llama_index due to inappropriate secure coding measures
Description A DoS vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llamaindex project, and this issue has been reported see the link below: Huntr Report : https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8 However, due to the developer's...
Bucket "h2o-release" publicly writable, allowing an attacker to replace any file
The S3 bucket "h2o-release" where you host docs and which you instruct your users to use as a Maven repo e.g. in here https://github.com/h2oai/h2o-3?tab=readme-ov-file3-using-h2o-3-artifacts is publicly writable. It is possible to overwrite any file in that bucket. As a PoC I created the followin...
Regular expression Denial of Service - ReDoS
Description A Regular Expression Denial of Service ReDoS vulnerability was identified in the Transformers library, specifically in the file tokenizationgptneoxjapanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions...
Bug Bounty Report: Command Injection Vulnerability in subprocess Call
This report is not public...
Denial of Service(DOS) in LangChainLLM due to missing exception handler.
Summary The streamcomplete method of the LangChainLLM class executes the llm using a thread and retrieves the result of the llm via the getresponsegen method of the StreamingGeneratorCallbackHandler class. During this process, getresponsegen recursively detects the onllmerror and onllmend events...
SQL Injection to RCE on FinanceChatLlamaPack
Summary The Finance Chat Llama Pack implements a hierarchical agent based on LLM for financial chat and information extraction. It includes an agent called 'database agent' for interacting with a PostgreSQL database. However, due to the lack of protections in the runsqlquery function on the...
SSRF check bypass in Requests utility
Description The autogpt application relies on a wrapper around the requests library in order to avoid SSRF attacks performing a check on the provided URL. Such check is performed using the urlparse function from urllib.parse library, and the request is later performed using the requests library...
Changing the "ID" parameter in the user cookie allows loading the profile picture of other users
Description A vulnerability has been discovered in AnythingLLM Docker that allows users, even with "Default" permission, to obtain other users' profile pictures. Proof of Concept 1 Create a new user with the default role; 2 Log in to the user account you created; 3 Open the browser inspector and...
Regular expression Denial of Service - ReDoS
Description A Regular Expression Denial of Service ReDoS vulnerability identified in the Transformers library, specifically in the file tokenizationnougatfast.py. The vulnerability occurs in the postprocesssingle function, where a regular expression processes specially crafted input. The issue...
AutoGPT SSTI Vulnerability Leading to Remote Code Execution (RCE)
Summary AutoGPT, an open-source AI tool that automates task execution, is vulnerable to a Server-Side Template Injection SSTI that could lead to arbitrary command execution. The vulnerability arises from the improper handling of user-supplied format strings in the AgentOutputBlock implementation,...
Remote Code Execution via Unsafe Torch Load in TransfoXLCorpus
Description This is a new bypass to the patch of my previous report, in which the maintainers only apply the "TRUSTREMOTECODE" to guard the vulnerable code of vocabdict = pickle.loadf, but overlooked another vulnerable code of corpusdict = torch.loadresolvedcorpusfile without setting...
A SQL Injection in DuckDB via prompt can lead to RCE
Target Link Description sql = f""" SELECT ftsmainself.tablename.matchbm25self.nodeidcolumn, 'query' AS score, self.nodeidcolumn, self.textcolumn FROM self.tablename WHERE score IS NOT NULL ORDER BY score DESC LIMIT self.similaritytopk; """ The duckdbretriever performs "search using string" and...
MD5 Hash Collision in SageMaker Workflow
The possibility exists that MD5 collisions could occur in past cache configurations, potentially leading to workflows being inadvertently replaced. Impact In a SageMaker workflow, there is a potential risk associated with using MD5 hashes due to hash collisions. MD5 is vulnerable to collision...
Admin Able to Create User Without Setting a Password
Description The application allows an admin to create a new user account without assigning a password. This could lead to security vulnerabilities, or the system might inadvertently create an account with a default or blank password, making it susceptible to unauthorized access. Proof of Concept ...
Stored Cross-Site Scripting (XSS) via SAML IdP XML Injection
An attacker can achieve stored cross-site scripting XSS by injecting malicious JavaScript into the SAML IdP XML metadata. This metadata is used to generate the SAML login redirect URL, which is ultimately set as the value of window.location.href. This vulnerability allows the attacker to execute...
Arbitrary File Overwrite & RCE via Tarfile Path Traversal
Description The DJL package utilizes an untar function, for example, when downloading and saving models. Additionally, the untar function overwrites existing files. Therefore, the untar method includes the following two security measures to prevent misuse of its functionality. 1. Security measure...
Improper access of prompt data by another user.
Description Another user can able to see the prompts data of a particular users. Proof of Concept let promptid be the prompt id of user 1 visit http://127.0.0.1:8080/prompts/promptid from another users user 2 session user 2 can see the user 1 promptid's data. Previously it was reported by some on...
Lack of unique constraint validation allows overwriting evaluators
Description The application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request with the same slug as an existing evaluator. Since the backend lacks databa...
Logging into webui as view only internal user provides overly privileged bearer key
Description When an user with the role "internaluserviewer" logs into the application they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the application. The following steps are taken: An admin creates an Internal User with the role...
Partial Account Takeover due to Insecure Data Querying
This report is not public...
Denial of service through batched queries in GraphQL
This report is not public...
Improper Access Control Allows deleting other users' reminders
Description Because the report I reported before was exploited on the public, I created a new report to exploit on the local machine The vulnerability allows users to delete other users' prompts on the system via the groupid parameter Proof of Concept const deletePromptController = async req, res...
SQL Injection in default_jsonalyzer via prompt injection leads to arbitrary file creation
Target Link Description defaultjsonalyzer function used in JSONalyzeQueryEngine execute a sqlite query that llm made. If the attacker control the sqlite query with prompt injection and execute a malicious sqlite query, then Denial-of-Service attack and arbitrary file creation is possible. Root...
Exception unhandled, lead to server crash
Description In node js express, if exception is uncaught, the server will crash. fs module sometimes throw exception when dealing with file upload. Unauth user can send something to the server trigger the exception lead to server crash. Proof of Concept import requests import random import string...
Path traversal, lead to arbitrary file write, lead to remote code execution
Description Anythingllm use multer library to handle http multi-part file upload. Anything llm use the following code to handle non-ascii file name file.originalname = Buffer.fromfile.originalname, "latin1".toString "utf8" ; This way of manipulating filename is will lead to path traversal. multer...
Arbitrary file deletion on Windows via the '/v1/agent/hub/update' endpoint.
This report is not public...
Remote Code Execution via Model Deserialization on /api/v2/models/install API
Summary I have identified a critical vulnerability leading to remote code execution in the /api/v2/models/install API through unsafe model deserialization. The API allows users to specify a model URL, which is downloaded and loaded server-side using torch.load without proper validation. This...
Leakage of Langfuse API keys in team exception handling
This report is not public...
Integer Overflow In /v2/repository/models/<model_name>/load
This report is not public...
multer(file upload middleware in express) misused, lead to remote code execution
Description Librechat use multer to handle multi-part file upload. multer library will deal with '../' kind of path traversal, then let the programmer decide the actual filename, then join the path to write the upload the file. this means, if '../' is provided by the user of librechat, multer wil...
IDOR Vulnerability in PATCH `/v1/runs/:id/score` Endpoint Allows Unauthorized Score Updates for Other Users’ Runs
Description An Insecure Direct Object Reference IDOR vulnerability exists in the PATCH /v1/runs/:id/score endpoint. This endpoint allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which corresponds to the runIdscore in the database. The...
RCE via Global State Override
This exploit effectively serves as a bypass for CVE-2024-3408. An attacker can override global state to enable custom filters, which then facilitates remote code execution RCE. Specifically, this vulnerability leverages the ability to manipulate global application settings to activate the...
A malicious gguf model can lead to DoS due to unchecked null pointer dereference via network
This report is not public...
A malicious gguf model can lead to DoS due to unchecked array bound access via network
This report is not public...
malicious gguf model can cause DoS by allocate unlimited memory via network access
This report is not public...
malicious gguf model can be uploaded and created causing division by zero via network, leading to DoS
This report is not public...
DoS using malicious gguf model file
This report is not public...
Not limitation of upload file size, lead to server crash
Description librechat use multer, which is a middleware which handles streaming multipart fileupload. If use in memory storagemulter by default, can do not limit the upload file size, when handling big file, server will crash for out of memory. Attacker with no privilege can exploit this. Proof o...
Read from host file system via ImagePromptTemplate in langchain-core
Description You can create langchaincore.prompts.ImagePromptTemplate's and by extension the langchaincore.prompts.ChatPromptTemplate's with input variables that make it possible for the prompt template to read any user-specified path from the server file system. If the outputs of the prompt...
Denial of service through tracking and requesting Aim objects through web API
This report is not public...
dify tools vanna has pandas query inject
This report is not public...
Denial of service by tracking large images
This report is not public...
Lack of proper access control on endpoint to delete evaluators
Description The /v1/evaluators/ route allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. The current implementation: Does not...
Server Side Request Forgery(SSRF) on WordExtractor in langgenius/dify
Summary The vulnerability occurs when uploading DOCX files in the "Create Knowledge" section. If an external relationship exists in the DOCX file, the reltype value is requested as a URL. Requests are sent using the 'requests' module instead of the 'ssrfproxy', which can lead to an SSRF...
Ollama server is vulnerable to OOM DoS attacks when using `makeRequestWithRetry` and `getAuthorizationToken` functions
This report is not public...
CSRF ON SIGNUP PAGE
CSRF ON CREATING A NEW USER in mlflow/mlflow Reported on Oct 31st 2024 The Signup feature of Mlflow is vulnerable to CSRF attack that allow attacker to create a new account. This may be used to perform unauthorised actions on behalf of the malcious user . Proof of Concept : An attacker can use CS...