Homepage
About Snyk

lollms@9.3.0 vulnerabilities

A python library for AI personality definition

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the lollms package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Path Traversal

lollms is an A python library for AI personality definition

Affected versions of this package are vulnerable to Path Traversal in speaker wav and output file paths.. This vulnerability can be abused to write audio files compatible with XTTS to arbitrary locations on the system, and also enumerate such file paths on the system.

How to fix Path Traversal?

There is no fixed version for lollms.

[0,)
  • H
Path Traversal

lollms is an A python library for AI personality definition

Affected versions of this package are vulnerable to Path Traversal due to the possibility of performing an unauthenticated root folder settings change. An attacker can read arbitrary files on the system.

Note: This vulnerability can be abused to write audio files compatible with XTTS to arbitrary locations on the system, and also enumerate such file paths on the system.

How to fix Path Traversal?

There is no fixed version for lollms.

[0,)
  • C
Arbitrary File Write via Archive Extraction (Zip Slip)

lollms is an A python library for AI personality definition

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the ExtensionBuilder().build_extension() function and the /mount_extension endpoint. An attacker can execute arbitrary code by manipulating the data.category and data.folder parameters to navigate beyond the intended directory structure and create or append malicious configurations to the extensions list.

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

Upgrade lollms to version 9.5.1 or higher.

[9.3.0,9.5.1)
  • C
Path Traversal

lollms is an A python library for AI personality definition

Affected versions of this package are vulnerable to Path Traversal due to improper sanitization of Windows-style paths (\) in the sanitize_path_from_endpoint function. An attacker with access to the application can read or delete any file on the windows filesystem.

How to fix Path Traversal?

Upgrade lollms to version 9.5.0 or higher.

[9.3.0,9.5.0)
  • H
Path Traversal

lollms is an A python library for AI personality definition

Affected versions of this package are vulnerable to Path Traversal due to improper validation of file paths between Windows and Linux environments. An attacker can access sensitive information such as environment variables, database files, and configuration files by crafting requests using backslashes to manipulate file paths.

How to fix Path Traversal?

Upgrade lollms to version 9.5.1 or higher.

[9.3.0,9.5.1)
  • C
Path Traversal

lollms is an A python library for AI personality definition

Affected versions of this package are vulnerable to Path Traversal via the sanitize_path_from_endpoint and sanitize_path functions. An attacker can read arbitrary files and potentially disrupt service by crafting malicious input.

How to fix Path Traversal?

Upgrade lollms to version 9.5.1 or higher.

[9.3.0,9.5.1)
  • C
Command Injection

lollms is an A python library for AI personality definition

Affected versions of this package are vulnerable to Command Injection in the unInstall_binding function. An attacker can execute arbitrary code by loading a malicious __init__.py file due to insufficient sanitization of the name parameter.

How to fix Command Injection?

Upgrade lollms to version 9.5.1 or higher.

[0,9.5.1)
Go back to all versions of this package