CVE-2024-4315

parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The sanitize_path_from_endpoint function fails to properly sanitize Windows-style paths (backward slash \), allowing attackers to perform directory traversal attacks on Windows systems. This vulnerability can be exploited through various routes, including personalities and /del_preset, to read or delete any file on the Windows filesystem, compromising the system's availability.

Published: Jun 12, 2024
Updated: May 4, 2025
CVE: CVE-2024-4315
GHSA: GHSA-vqwr-q6cc-c242
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWEs:

CWE-22
CWE-98

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
lollms	-	9.5.0

https://github.com/parisneo/lollms/commit/95ad36eeffc6a6be3e3f35ed35a384d768f0ecf6
https://huntr.com/bounties/8a1b0197-2c36-4276-b92b-630a2a9bb09c

Vulnerability Database

CVE-2024-4315

Deep Security Visibility Without the Complexity