Remote Code Execution Vulnerability in lollms by Parisneo
CVE-2024-6982

8.4HIGH

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms
Vendor: CVE Published:; 20 March 2025

Summary

A remote code execution vulnerability exists in the Calculate function of lollms (version 9.8) due to unsafe usage of Python's eval() function. This security flaw arises within a sandbox designed to restrict built-in functions, yet an attacker can bypass these restrictions by loading the os module with the _frozen_importlib.BuiltinImporter class. This weakness allows for the execution of arbitrary commands on the server, potentially leading to severe security breaches. The vulnerability has been addressed in version 9.10.

Affected Version(s)

parisneo/lollms < 9.10

References

https://huntr.com/bounties/4f8e73ac-aaaf-4d5c-a6dd-58215b...

https://github.com/parisneo/lollms/commit/30e7eaba2ccfb75...

CVSS V3.0

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Jul 22, 2024