A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands.

Affected Packages

PyPI lollms

Affected versions: 0 (last affected: 9.5.1)

Related CVEs

CVE-2024-3121

Key Information

GHSA ID

GHSA-79h8-gxhq-q3jg

Published

June 24, 2024 12:34 AM

Last Modified

June 24, 2024 9:25 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

lollms

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 7, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.