Homepage

txtai@4.1.0 vulnerabilities

All-in-one open-source AI framework for semantic search, LLM orchestration and language model workflows

  • latest version

    9.1.0

  • latest non vulnerable version

    9.1.0

  • first published

    5 years ago

  • latest version published

    4 days ago

  • licenses detected

  • View txtai package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the txtai package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    UNIX Symbolic Link (Symlink) Following

    txtai is an All-in-one open-source AI framework for semantic search, LLM orchestration and language model workflows

    Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following via the validate function due to improper sanitization of symbolic links within the tar file. An attacker can write arbitrary files to any location on the filesystem by including symbolic links within a compressed tar file that is loaded as an embedding index.

    Note:

    This is only exploitable if txtai is used to load untrusted embedding indices.

    How to fix UNIX Symbolic Link (Symlink) Following?

    Upgrade txtai to version 9.0.1 or higher.

    [,9.0.1)
    Go back to all versions of this package