4057 matches found
A SQL Injection in DuckDB via prompt can lead to RCE
Target Link Description sql = f""" SELECT ftsmainself.tablename.matchbm25self.nodeidcolumn, 'query' AS score, self.nodeidcolumn, self.textcolumn FROM self.tablename WHERE score IS NOT NULL ORDER BY score DESC LIMIT self.similaritytopk; """ The duckdbretriever performs "search using string" and...
MD5 Hash Collision in SageMaker Workflow
The possibility exists that MD5 collisions could occur in past cache configurations, potentially leading to workflows being inadvertently replaced. Impact In a SageMaker workflow, there is a potential risk associated with using MD5 hashes due to hash collisions. MD5 is vulnerable to collision...
Admin Able to Create User Without Setting a Password
Description The application allows an admin to create a new user account without assigning a password. This could lead to security vulnerabilities, or the system might inadvertently create an account with a default or blank password, making it susceptible to unauthorized access. Proof of Concept ...
Stored Cross-Site Scripting (XSS) via SAML IdP XML Injection
An attacker can achieve stored cross-site scripting XSS by injecting malicious JavaScript into the SAML IdP XML metadata. This metadata is used to generate the SAML login redirect URL, which is ultimately set as the value of window.location.href. This vulnerability allows the attacker to execute...
Arbitrary File Overwrite & RCE via Tarfile Path Traversal
Description The DJL package utilizes an untar function, for example, when downloading and saving models. Additionally, the untar function overwrites existing files. Therefore, the untar method includes the following two security measures to prevent misuse of its functionality. 1. Security measure...
Improper access of prompt data by another user.
Description Another user can able to see the prompts data of a particular users. Proof of Concept let promptid be the prompt id of user 1 visit http://127.0.0.1:8080/prompts/promptid from another users user 2 session user 2 can see the user 1 promptid's data. Previously it was reported by some on...
Lack of unique constraint validation allows overwriting evaluators
Description The application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request with the same slug as an existing evaluator. Since the backend lacks databa...
Logging into webui as view only internal user provides overly privileged bearer key
Description When an user with the role "internaluserviewer" logs into the application they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the application. The following steps are taken: An admin creates an Internal User with the role...
Partial Account Takeover due to Insecure Data Querying
This report is not public...
Denial of service through batched queries in GraphQL
This report is not public...
Improper Access Control Allows deleting other users' reminders
Description Because the report I reported before was exploited on the public, I created a new report to exploit on the local machine The vulnerability allows users to delete other users' prompts on the system via the groupid parameter Proof of Concept const deletePromptController = async req, res...
SQL Injection in default_jsonalyzer via prompt injection leads to arbitrary file creation
Target Link Description defaultjsonalyzer function used in JSONalyzeQueryEngine execute a sqlite query that llm made. If the attacker control the sqlite query with prompt injection and execute a malicious sqlite query, then Denial-of-Service attack and arbitrary file creation is possible. Root...
Exception unhandled, lead to server crash
Description In node js express, if exception is uncaught, the server will crash. fs module sometimes throw exception when dealing with file upload. Unauth user can send something to the server trigger the exception lead to server crash. Proof of Concept import requests import random import string...
Path traversal, lead to arbitrary file write, lead to remote code execution
Description Anythingllm use multer library to handle http multi-part file upload. Anything llm use the following code to handle non-ascii file name file.originalname = Buffer.fromfile.originalname, "latin1".toString "utf8" ; This way of manipulating filename is will lead to path traversal. multer...
Arbitrary file deletion on Windows via the '/v1/agent/hub/update' endpoint.
This report is not public...
Remote Code Execution via Model Deserialization on /api/v2/models/install API
Summary I have identified a critical vulnerability leading to remote code execution in the /api/v2/models/install API through unsafe model deserialization. The API allows users to specify a model URL, which is downloaded and loaded server-side using torch.load without proper validation. This...
Leakage of Langfuse API keys in team exception handling
This report is not public...
Integer Overflow In /v2/repository/models/<model_name>/load
This report is not public...
multer(file upload middleware in express) misused, lead to remote code execution
Description Librechat use multer to handle multi-part file upload. multer library will deal with '../' kind of path traversal, then let the programmer decide the actual filename, then join the path to write the upload the file. this means, if '../' is provided by the user of librechat, multer wil...
IDOR Vulnerability in PATCH `/v1/runs/:id/score` Endpoint Allows Unauthorized Score Updates for Other Users’ Runs
Description An Insecure Direct Object Reference IDOR vulnerability exists in the PATCH /v1/runs/:id/score endpoint. This endpoint allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which corresponds to the runIdscore in the database. The...
RCE via Global State Override
This exploit effectively serves as a bypass for CVE-2024-3408. An attacker can override global state to enable custom filters, which then facilitates remote code execution RCE. Specifically, this vulnerability leverages the ability to manipulate global application settings to activate the...
A malicious gguf model can lead to DoS due to unchecked null pointer dereference via network
This report is not public...
A malicious gguf model can lead to DoS due to unchecked array bound access via network
This report is not public...
malicious gguf model can cause DoS by allocate unlimited memory via network access
This report is not public...
malicious gguf model can be uploaded and created causing division by zero via network, leading to DoS
This report is not public...
DoS using malicious gguf model file
This report is not public...
Not limitation of upload file size, lead to server crash
Description librechat use multer, which is a middleware which handles streaming multipart fileupload. If use in memory storagemulter by default, can do not limit the upload file size, when handling big file, server will crash for out of memory. Attacker with no privilege can exploit this. Proof o...
Read from host file system via ImagePromptTemplate in langchain-core
Description You can create langchaincore.prompts.ImagePromptTemplate's and by extension the langchaincore.prompts.ChatPromptTemplate's with input variables that make it possible for the prompt template to read any user-specified path from the server file system. If the outputs of the prompt...
Denial of service through tracking and requesting Aim objects through web API
This report is not public...
dify tools vanna has pandas query inject
This report is not public...
Denial of service by tracking large images
This report is not public...
Lack of proper access control on endpoint to delete evaluators
Description The /v1/evaluators/ route allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. The current implementation: Does not...
Server Side Request Forgery(SSRF) on WordExtractor in langgenius/dify
Summary The vulnerability occurs when uploading DOCX files in the "Create Knowledge" section. If an external relationship exists in the DOCX file, the reltype value is requested as a URL. Requests are sent using the 'requests' module instead of the 'ssrfproxy', which can lead to an SSRF...
Ollama server is vulnerable to OOM DoS attacks when using `makeRequestWithRetry` and `getAuthorizationToken` functions
This report is not public...
CSRF ON SIGNUP PAGE
CSRF ON CREATING A NEW USER in mlflow/mlflow Reported on Oct 31st 2024 The Signup feature of Mlflow is vulnerable to CSRF attack that allow attacker to create a new account. This may be used to perform unauthorised actions on behalf of the malcious user . Proof of Concept : An attacker can use CS...
SSRF due to insufficient patch of CVE-2024-5822
This report is not public...
(Blind) Stored XSS through the debug_log.html generated by the Latex Proof-Reading Module
This report is not public...
High-Severity Command Injection Vulnerability in run_BingBertSquad.sh
This report is not public...
Denial of service cause by unhandled exception
Description In javascript express, if async router handler throw an exception, the whole server will crash. In librechat, middleware checkBan is not surrounded by try catch block. This middleware, under some crafted payload, will throw exception and cause server crash. This poc can be exploited b...
Denial of Service(DOS) in KnowledgeBaseWebReader
Target Target Description KnowledgeBaseWebReader class recursively calls getarticleurls method. If the attacker can control a url variable to contain the root URL, it can lead to infinite recursive calls involving the same root URL repeatedly. This would cause a Denial of Service DoS scenario,...
SSRF Vulnerabilities found in Search and Github Integration AutoGPT Blocks
Hi, AutoGPT developers! Summary I have identified several Server-Side Request Forgery SSRF vulnerabilities in the default agent blocks provided by the AutoGPT platform. These vulnerabilities could lead to severe security issues, including credential leakage e.g., GitHub tokens, internal network...
Admin account takeover through weak Pseudo-Random number generator used in generating password reset codes
This report is not public...
Missing check_access in lollms_binding_infos
This report is not public...
Logs Debug Injection In File Download
Description In 2 API: /code/download/:sessionId/:fileId and /download/:userId/:fileid The parameters sessionId, fileId, userId, fileid are not validated or filtered at all but are saved directly to log.debug Proof of Concept Prepare: The logs file on the server is stored at /app/api/debug-.log I...
SSRF via Custom Tool Testing
This report is not public...
unhandled exception caused server crash
Description in javascript express framework, if async router handler throw an exception, the whole server will crash. In librechat, some API, when leading with some malformed input, will have uncaught exception. This will lead to server crash, thus a full denial of service. Mind that although thi...
Admin account takeover due to allowed excessive guessing attempts for password reset code
This report is not public...
Admin user account takeover due to password reset code not being checked on the backend
This report is not public...
XSS in the edit HTML
This report is not public...
XSS by uploading pdf file
This report is not public...