Cyber Resilience

CVE-2024-5443

Critical

Published: 22 June 2024

Published
22 June 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1747 95.2th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5443 is a critical-severity Path Traversal: '\..\filename' (CWE-29) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-5443 is a path traversal vulnerability in the parisneo/lollms software, specifically in the ExtensionBuilder().build_extension() function exposed via the /mount_extension endpoint. The flaw stems from inadequate sanitization of the data.category and data.folder parameters, which accept empty strings and allow construction of a package_path that resolves to the filesystem root. This affects all versions through 5.9.0 and is assigned CWE-29 with a CVSS score of 9.8.

An unauthenticated remote attacker who can place a config.yaml file in a controllable location can append that path to the extensions list, causing the application to execute an __init__.py file in the current directory and achieve remote code execution.

The vulnerability was fixed in version 9.8; the referenced commits on GitHub and the huntr.com bounty entries document the remediation that prevents empty category or folder values from producing a root-level package_path.

The EPSS score has remained flat at 0.1747 with no material increase after disclosure.

EU & UK References

Vulnerability details

CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the `ExtensionBuilder().build_extension()` function. The vulnerability arises from the `/mount_extension` endpoint, where a path traversal issue allows attackers to navigate beyond the intended directory structure. This is facilitated by the `data.category`…

more

and `data.folder` parameters accepting empty strings (`""`), which, due to inadequate input sanitization, can lead to the construction of a `package_path` that points to the root directory. Consequently, if an attacker can create a `config.yaml` file in a controllable path, this path can be appended to the `extensions` list and trigger the execution of `__init__.py` in the current directory, leading to remote code execution. The vulnerability affects versions up to 5.9.0, and has been addressed in version 9.8.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References