CVE-2024-48057 – LocalAI versions up to 2.20.1 contain a stored ... (How to Fix)

📋 TL;DR

LocalAI versions up to 2.20.1 contain a stored cross-site scripting (XSS) vulnerability in the delete model API. When malicious parameters are passed to this API, they can be stored and later executed when users visit the homepage, potentially allowing attackers to steal session cookies or perform unauthorized actions. This affects all LocalAI deployments using vulnerable versions.

💻 Affected Systems

Products:

LocalAI

Versions: <= 2.20.1

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires API access to trigger the stored XSS, which then affects users visiting the homepage.

📦 What is this software?

Localai by Mudler

View all CVEs affecting Localai →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals admin session cookies, gains full control of LocalAI instance, and potentially compromises the underlying server.

🟠

Likely Case

Attacker steals user session cookies, performs unauthorized actions within LocalAI, or redirects users to malicious sites.

🟢

If Mitigated

XSS payloads are blocked by content security policies or modern browser protections, limiting impact to basic UI manipulation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires API access but payload execution occurs when legitimate users visit the homepage.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 2.20.1

Vendor Advisory: https://github.com/mudler/LocalAI

Restart Required: Yes

Instructions:

1. Update LocalAI to version >2.20.1
2. Restart the LocalAI service
3. Verify the fix by checking the version

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation and sanitization for all API parameters, especially the delete model endpoint.

# Requires code modification to sanitize inputs before processing

Content Security Policy

all

Implement strict Content Security Policy headers to prevent XSS payload execution.

# Add to web server configuration:
# Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Restrict API access to trusted users only using authentication and IP whitelisting
Implement web application firewall (WAF) rules to detect and block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check LocalAI version. If version <= 2.20.1, the system is vulnerable.

Check Version:

localai --version

Verify Fix Applied:

After updating, test the delete model API with XSS payloads and verify they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual delete model API calls with JavaScript payloads in parameters
Multiple failed delete attempts with suspicious parameters

Network Indicators:

HTTP requests to delete model endpoint containing script tags or JavaScript code

SIEM Query:

source="localai.log" AND "DELETE /models/" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-48057

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: November 4, 2024

Last Updated: September 4, 2025

🔗 References

https://gist.github.com/AfterSnows/1bd7ee5a3a42dbb5f5ff67f7f9c8ccec Third Party Advisory
https://rumbling-slice-eb0.notion.site/LocalAI-deleted-model-with-storage-XSS-CSRF-vulnerability-in-mudler-localai-101e3cda9e8c80e0ac12fe418d5dd982?pvs=4 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-48057, you might also want to check these: