Login Sign Up

CVE-2024-6868

9.8 CRITICAL
Remote Code Execution Path Traversal

📋 TL;DR

CVE-2024-6868 is a critical vulnerability in mudler/LocalAI version 2.17.1 that allows arbitrary file write through improper archive extraction handling. Attackers can exploit 'tarslip' attacks to write files outside intended directories, potentially leading to remote code execution. All users running LocalAI 2.17.1 with automatic archive extraction enabled are affected.

💻 Affected Systems

Products:
  • mudler/LocalAI
Versions: 2.17.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires automatic archive extraction feature to be used, which is enabled by default when models specify archives.

📦 What is this software?

Localai by Mudler

View all CVEs affecting Localai →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Arbitrary file write allowing attackers to overwrite critical system files, modify configurations, or plant backdoors.

🟢

If Mitigated

Limited impact if proper file system permissions restrict write access to sensitive directories.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires ability to upload or control archive files that get processed by LocalAI's automatic extraction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.17.2 or later

Vendor Advisory: https://github.com/mudler/localai/commit/a181dd0ebc5d3092fc50f61674d552604fe8ef9c

Restart Required: Yes

Instructions:

1. Update LocalAI to version 2.17.2 or later. 2. Restart the LocalAI service. 3. Verify the fix by checking version and testing archive extraction.

🔧 Temporary Workarounds

Disable automatic archive extraction

all

Prevent automatic extraction of archives in model configurations

Modify LocalAI configuration to disable automatic archive extraction feature

Restrict file system permissions

linux

Limit write permissions for LocalAI process to only necessary directories

chmod -R 755 /path/to/localai/models
chown -R root:root /path/to/localai

🧯 If You Can't Patch

  • Disable automatic archive extraction in all model configurations
  • Implement strict file system permissions and run LocalAI with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check if running LocalAI version 2.17.1 and if automatic archive extraction is enabled in configuration

Check Version:

localai --version

Verify Fix Applied:

Verify LocalAI version is 2.17.2 or later and test archive extraction with path traversal attempts

📡 Detection & Monitoring

Log Indicators:

  • Archive extraction attempts with path traversal patterns
  • File write operations outside models directory
  • Unexpected file creation in system directories

Network Indicators:

  • Unusual archive downloads to LocalAI instance
  • Suspicious file upload patterns

SIEM Query:

source="localai.log" AND ("archive extraction" OR "tar extraction") AND (".." OR "path traversal")

📊 Metadata

CVE ID: CVE-2024-6868
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
Published: October 29, 2024
Last Updated: October 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6868, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)