CVE-2024-8898
Published: 20 March 2025
Summary
CVE-2024-8898 is a critical-severity Path Traversal (CWE-22) vulnerability in Lollms Lollms Web Ui. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires implementation of input validation mechanisms at API endpoints to sanitize user-supplied paths and directly prevent the path traversal exploitation in CVE-2024-8898.
Mandates timely flaw remediation, including application of the specific fixing commit for the path traversal vulnerability in lollms-webui V12.
Enforces approved authorizations for logical access to system resources, limiting API operations to intended directories and mitigating unauthorized traversal.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing web UI API endpoints directly enables T1190 for initial access; arbitrary directory creation/deletion facilitates T1485 for data destruction and service disruption.
NVD Description
A path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lollms-webui version V12 (Strawberry). This vulnerability allows attackers to create or delete directories with arbitrary paths on the system. The issue arises due to insufficient sanitization of…
more
user-supplied input, which can be exploited to traverse directories outside the intended path.
Deeper analysisAI
CVE-2024-8898, published on 2025-03-20, is a path traversal vulnerability (CWE-22) affecting the `install` and `uninstall` API endpoints in parisneo/lollms-webui version V12 (Strawberry). The flaw arises from insufficient sanitization of user-supplied input, allowing attackers to traverse directories outside the intended path and create or delete directories with arbitrary paths on the host system. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. Exploitation enables remote creation or deletion of arbitrary directories, granting significant control over the file system and potentially facilitating further compromise such as data exfiltration, persistence, or disruption of services.
Advisories reference a fixing commit at https://github.com/parisneo/lollms-webui/commit/6d07c8a0dd0a15cc060becc73fda9fe8e788eb23, and the issue was reported via Huntr bounties documented at https://huntr.com/bounties/6072371f-0ddc-42e3-9207-1c6d6b18d32f. Security practitioners should apply the patch and review access to affected API endpoints.
Details
- CWE(s)