A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed.

Affected Packages

PyPI lollms

Affected versions: 0 (fixed in 9.5.0)

Related CVEs

CVE-2024-4078

Key Information

GHSA ID

GHSA-pwc9-q4hj-pg8g

Published

May 16, 2024 9:33 AM

Last Modified

September 13, 2024 7:34 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

lollms

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 7, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.