Login Sign Up

CVE-2024-2358

9.8 CRITICAL
Remote Code Execution Path Traversal

📋 TL;DR

A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code by exploiting insufficient input sanitization in the 'extensions' parameter. This enables remote code execution through malicious '__init__.py' files. All users running the latest version of parisneo/lollms-webui are affected.

💻 Affected Systems

Products:
  • parisneo/lollms-webui
Versions: Latest version (as of vulnerability discovery)
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default configuration and requires no special setup to be exploitable.

📦 What is this software?

Lollms Web Ui by Lollms

View all CVEs affecting Lollms Web Ui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the server, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper input validation and file system restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the '/apply_settings' endpoint but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific version

Vendor Advisory: https://huntr.com/bounties/b2771df3-be50-45bd-93c4-0974ce38bc22

Restart Required: Yes

Instructions:

1. Check vendor advisory for patched version. 2. Update to the latest patched version. 3. Restart the lollms-webui service.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to reject path traversal sequences in the 'extensions' parameter

Implement server-side validation to block strings containing '../' or similar traversal patterns

Endpoint Restriction

all

Restrict access to the '/apply_settings' endpoint

Configure web server or application firewall to limit access to trusted IPs only

🧯 If You Can't Patch

  • Implement strict input validation to block path traversal sequences
  • Restrict file system permissions for the lollms-webui process

🔍 How to Verify

Check if Vulnerable:

Check if your version matches the affected version range and test for path traversal in the '/apply_settings' endpoint

Check Version:

Check lollms-webui version through application interface or package manager

Verify Fix Applied:

Verify that path traversal sequences are properly sanitized and cannot reach arbitrary directories

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns
  • Requests to '/apply_settings' with path traversal sequences
  • Execution of unexpected Python files

Network Indicators:

  • HTTP POST requests to '/apply_settings' with suspicious payloads

SIEM Query:

source="web_server" AND (uri="/apply_settings" AND payload MATCHES "\.\./.*\.py")

📊 Metadata

CVE ID: CVE-2024-2358
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-29
Published: May 16, 2024
Last Updated: July 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2358, you might also want to check these:

CVE-2024-2083 9.9

A directory traversal vulnerability in the zenml-io/zenml repository allows attackers to read arbitr...

Same vulnerability type (CWE-29)
CVE-2024-2624 9.8

This vulnerability allows attackers to perform path traversal and arbitrary file uploads in the loll...

Same vulnerability type (CWE-29)
CVE-2024-5443 9.8

This CVE describes a path traversal vulnerability in parisneo/lollms software that allows remote cod...

Same vulnerability type (CWE-29)