Command Injection Vulnerability in TranscriptEndpoint of mudler/localai
CVE-2024-2029

9.8CRITICAL

Key Information:

Vendor: Mudler
Status: Mudler/localai
Vendor: CVE Published:; 10 April 2024

Summary

A command injection vulnerability has been identified in the TranscriptEndpoint of Mudler's LocalAI platform. The vulnerability specifically lies within the audioToWav function, which is used for converting audio files into WAV format for transcription. The flaw stems from inadequate sanitization of user-provided filenames processed using the ffmpeg command through a shell invocation. This oversight could permit an attacker to execute arbitrary commands on the underlying host system. Should the exploitation be successful, it may lead to unauthorized access, potential data breaches, or various other negative consequences, contingent upon the executed code's privileges.

Affected Version(s)

mudler/localai < unspecified

References

https://huntr.com/bounties/e092528a-ce3b-4e66-9b98-3f56d6...

https://github.com/mudler/localai/commit/31a4c9c9d3abc58d...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 10, 2024
Vulnerability Reserved
Feb 29, 2024