txtai@8.3.1 vulnerabilities

All-in-one open-source AI framework for semantic search, LLM orchestration and language model workflows

  • latest version

    9.0.1

  • latest non vulnerable version

  • first published

    5 years ago

  • latest version published

    23 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the txtai package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    UNIX Symbolic Link (Symlink) Following

    txtai is an All-in-one open-source AI framework for semantic search, LLM orchestration and language model workflows

    Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following via the validate function due to improper sanitization of symbolic links within the tar file. An attacker can write arbitrary files to any location on the filesystem by including symbolic links within a compressed tar file that is loaded as an embedding index.

    Note:

    This is only exploitable if txtai is used to load untrusted embedding indices.

    How to fix UNIX Symbolic Link (Symlink) Following?

    Upgrade txtai to version 9.0.1 or higher.

    [,9.0.1)