CVE-2024-3121

A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands.

Published: Jun 24, 2024
Updated: May 4, 2025
CVE: CVE-2024-3121
GHSA: GHSA-79h8-gxhq-q3jg
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.3
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWEs:

CWE-94
CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
lollms	-	9.5.1.x
lollms / lollms	5.9.0	5.9.0.x

https://huntr.com/bounties/db57c343-9b80-4c1c-9ab0-9eef92c9b27b

Vulnerability Database

CVE-2024-3121

Deep Security Visibility Without the Complexity