Relative Path Traversal Affecting lollms package, versions [0,]

Q: How to fix?

A fix was pushed into the master branch but not yet published.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Relative Path Traversal vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PYTHON-LOLLMS-9573034
published31 Mar 2025
disclosed20 Mar 2025
creditHaiNguyen

Report a new vulnerability Found a mistake?

Introduced: 20 Mar 2025

NewCVE-2024-7058 (opens in a new tab) CWE-23 (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

lollms is a python library for AI personality definition

Affected versions of this package are vulnerable to Relative Path Traversal in the sanitize_path() function, which does not account for ./ sequences in pathnames. An attacker can bypass the sanitization to access the contents of personality_folder.

This vulnerability is a bypass to the fix introduced for the vulnerability described in CVE-2024-6985.

PoC

GET /list_personalities?category=./ HTTP/1.1

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
High
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None