CVE-2024-6250
Published: 27 June 2024
Summary
CVE-2024-6250 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Lollms Lollms Web Ui. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: AML.T0022.000, AML.T0026.000, AML.T0039.000.
Deeper analysis
An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the open_file endpoint of lollms_advanced.py. The sanitize_path function with allow_absolute_path=True allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitrary directories on the affected system.
The issue can be exploited remotely by unauthenticated attackers over the network with no user interaction required, resulting in high confidentiality impact as reflected in the CVSS 7.5 score. An attacker can leverage the endpoint to retrieve sensitive file contents or enumerate directory structures on the host.
The associated EPSS score reached a peak of 0.2393, indicating a material rise in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47374
Vulnerability details
An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to…
more
read any file and list arbitrary directories on the affected system.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- lollms-webui is an open-source web UI platform for running and interacting with large language models (LLMs), fitting under 'Other Platforms' as it provides a deployment interface for AI models rather than core frameworks, libraries, or specific AI subdomains.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary file reads (T1005: Data from Local System) and directory listings (T1083: File and Directory Discovery).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.