CVE-2024-1601 – An SQL injection vulnerability in the parisneo/... (How to Fix)

Q: What is the severity of CVE-2024-1601?

CVE-2024-1601 has a CVSS score of 9.8 (CRITICAL). An SQL injection vulnerability in the parisneo/lollms-webui application allows attackers to delete all discussion and message data by sending a crafted HTTP POST request to the /delete_discussion endpoint. This affects all users running vulnerable versions of the lollms-webui software, potentially resulting in complete data loss of conversation histories.

📋 TL;DR

An SQL injection vulnerability in the parisneo/lollms-webui application allows attackers to delete all discussion and message data by sending a crafted HTTP POST request to the /delete_discussion endpoint. This affects all users running vulnerable versions of the lollms-webui software, potentially resulting in complete data loss of conversation histories.

💻 Affected Systems

Products:

parisneo/lollms-webui

Versions: Versions prior to commit f0bc8f2babdfd4770a5adbf3b60ec612e4f1db46

Operating Systems: All operating systems running lollms-webui

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with the vulnerable code are affected regardless of configuration.

📦 What is this software?

Lollms Webui by Lollms

View all CVEs affecting Lollms Webui →

Lollms Webui by Lollms

View all CVEs affecting Lollms Webui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete deletion of all discussion and message data, causing irreversible data loss and service disruption.

🟠

Likely Case

Attacker deletes all user discussions and messages, requiring restoration from backups and causing temporary service disruption.

🟢

If Mitigated

Attack prevented by proper input validation, with no data loss or minimal impact if detected early.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via HTTP requests, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but have reduced attack surface compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit with basic SQL injection techniques and requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit f0bc8f2babdfd4770a5adbf3b60ec612e4f1db46 and later

Vendor Advisory: https://github.com/parisneo/lollms-webui/commit/f0bc8f2babdfd4770a5adbf3b60ec612e4f1db46

Restart Required: Yes

Instructions:

1. Update to the latest version of lollms-webui. 2. Apply commit f0bc8f2babdfd4770a5adbf3b60ec612e4f1db46. 3. Restart the application service.

🔧 Temporary Workarounds

WAF Rule Implementation

all

Implement web application firewall rules to block SQL injection patterns in POST requests to /delete_discussion endpoint.

Endpoint Restriction

all

Restrict access to the /delete_discussion endpoint using network controls or authentication requirements.

🧯 If You Can't Patch

Implement strict input validation for the 'id' parameter in the delete_discussion() function
Deploy a WAF with SQL injection protection rules and monitor for attack attempts

🔍 How to Verify

Check if Vulnerable:

Check if your lollms-webui version includes commit f0bc8f2babdfd4770a5adbf3b60ec612e4f1db46. If not, you are vulnerable.

Check Version:

git log --oneline | grep f0bc8f2babdfd4770a5adbf3b60ec612e4f1db46

Verify Fix Applied:

Verify that parameterized queries or proper input sanitization is implemented in the delete_discussion() function.

📡 Detection & Monitoring

Log Indicators:

Unusual DELETE queries on discussion/message tables
Multiple rapid requests to /delete_discussion endpoint
SQL error messages in application logs

Network Indicators:

POST requests to /delete_discussion with SQL injection patterns
Unusual traffic patterns to the application endpoint

SIEM Query:

source="web_server_logs" AND uri="/delete_discussion" AND (method="POST") AND (payload CONTAINS "' OR '1'='1" OR payload CONTAINS "--" OR payload CONTAINS ";")

📊 Metadata

CVE ID: CVE-2024-1601

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: April 16, 2024

Last Updated: July 7, 2025

🔗 References

https://github.com/parisneo/lollms-webui/commit/f0bc8f2babdfd4770a5adbf3b60ec612e4f1db46 Patch
https://huntr.com/bounties/652a176e-6bd7-4161-8775-63a34ecc71d5 Exploit,Third Party Advisory
https://github.com/parisneo/lollms-webui/commit/f0bc8f2babdfd4770a5adbf3b60ec612e4f1db46 Patch
https://huntr.com/bounties/652a176e-6bd7-4161-8775-63a34ecc71d5 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1601, you might also want to check these: