CVE-2024-2029 – github.com/go-skynet/localai

Package

Manager: go
Name: github.com/go-skynet/localai
Vulnerable Version: >=0 <2.10.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01829 pctl0.82193

Details

LocalAI Command Injection in audioToWav A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioToWav` function used for converting audio files to WAV format for transcription. The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attacker to execute arbitrary commands on the host system. Successful exploitation could lead to unauthorized access, data breaches, or other detrimental impacts, depending on the privileges of the process executing the code.

Metadata

Created: 2024-04-10T18:30:48Z
Modified: 2024-07-08T21:04:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-wx43-g55g-2jf4/GHSA-wx43-g55g-2jf4.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-wx43-g55g-2jf4
Finding: F404
Auto approve: 1