Localai Security Vulnerabilities and Issues — Localai CVE List

Lucene search

MudlerLocalai

10 matches found

CVE•added 2024/04/10 5:15 p.m.•80 views

CVE-2024-2029

A command injection vulnerability exists in the TranscriptEndpoint of mudler/localai, specifically within the audioToWav function used for converting audio files to WAV format for transcription. The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them ...

9.8CVSS9.7AI score0.01354EPSS

CVE•added 2024/11/04 11:15 p.m.•80 views

CVE-2024-48057

localai

6.1CVSS6.2AI score0.0003EPSS

CVE•added 2024/04/01 7:15 p.m.•63 views

CVE-2024-3135

A Cross-Site Request Forgery (CSRF) vulnerability exists in the mudler/localai application, allowing attackers to craft malicious webpages that, when visited by a victim, perform unauthorized actions on the victim's local LocalAI instance without their consent. This vulnerability enables attackers ...

6.5CVSS6.4AI score0.00086EPSS

CVE•added 2024/07/06 6:15 p.m.•56 views

CVE-2024-6095

A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s):// and file:// schemes, where the latter can lead to LFI. However, the output is limited due to th...

5.8CVSS5.2AI score0.73359EPSS

CVE•added 2024/06/26 3:15 a.m.•46 views

CVE-2024-5181

A command injection vulnerability exists in the mudler/localai version 2.14.0. The vulnerability arises from the application's handling of the backend parameter in the configuration file, which is used in the name of the initialized process. An attacker can exploit this vulnerability by manipulatin...

9.8CVSS9.7AI score0.02145EPSS

CVE•added 2024/07/06 9:15 a.m.•40 views

CVE-2024-5616

A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as 'gpt-4-vision-preview', w...

4.3CVSS4.6AI score0.00051EPSS

CVE•added 2024/06/20 12:15 a.m.•38 views

CVE-2024-5182

A path traversal vulnerability exists in mudler/localai version 2.14.0, where an attacker can exploit the model parameter during the model deletion process to delete arbitrary files. Specifically, by crafting a request with a manipulated model parameter, an attacker can traverse the directory struc...

9.1CVSS8.3AI score0.00333EPSS

CVE•added 2024/10/29 1:15 p.m.•37 views

CVE-2024-7010

mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid logi...

7.5CVSS6.8AI score0.00123EPSS

CVE•added 2024/10/29 1:15 p.m.•36 views

CVE-2024-6868

mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. When model configurations specify additional files as archives (e.g., .tar), these archives are automatically extracted after downloading. This behavior can be exploited to perfor...

9.8CVSS8.5AI score0.00488EPSS

CVE•added 2024/09/27 4:15 p.m.•34 views

CVE-2024-6983

mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the localai backend receives inputs not only from the configuration file but also from other inputs, allowing an attacker to upload a binary file and execute malicious code. This can lead to the a...

8.8CVSS9.1AI score0.02364EPSS