CVE-2024-8898 – A path traversal vulnerability in parisneo/loll... (How to Fix)

Q: What is the severity of CVE-2024-8898?

CVE-2024-8898 has a CVSS score of 9.8 (CRITICAL). A path traversal vulnerability in parisneo/lollms-webui version V12 allows attackers to create or delete arbitrary directories on the system by exploiting insufficient input sanitization in the install and uninstall API endpoints. This affects all users running the vulnerable version, potentially leading to system compromise.

📋 TL;DR

A path traversal vulnerability in parisneo/lollms-webui version V12 allows attackers to create or delete arbitrary directories on the system by exploiting insufficient input sanitization in the install and uninstall API endpoints. This affects all users running the vulnerable version, potentially leading to system compromise.

💻 Affected Systems

Products:

parisneo/lollms-webui

Versions: V12 (Strawberry)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific V12 version; earlier and later versions may not be vulnerable.

📦 What is this software?

Lollms Web Ui by Lollms

View all CVEs affecting Lollms Web Ui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via directory manipulation leading to arbitrary file write/delete, privilege escalation, or service disruption.

🟠

Likely Case

Unauthorized directory creation/deletion leading to data loss, service disruption, or preparation for further attacks.

🟢

If Mitigated

Limited impact with proper input validation and directory restrictions in place.

🌐 Internet-Facing: HIGH - API endpoints are typically exposed and can be exploited remotely.

🏢 Internal Only: MEDIUM - Still exploitable by internal users or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires API access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 6d07c8a0dd0a15cc060becc73fda9fe8e788eb23

Vendor Advisory: https://github.com/parisneo/lollms-webui/commit/6d07c8a0dd0a15cc060becc73fda9fe8e788eb23

Restart Required: Yes

Instructions:

1. Update to the latest version after commit 6d07c8a0dd0a15cc060becc73fda9fe8e788eb23. 2. Restart the lollms-webui service. 3. Verify the fix by testing the API endpoints.

🔧 Temporary Workarounds

Disable vulnerable endpoints

all

Temporarily disable the install and uninstall API endpoints if not needed.

Modify configuration to disable /api/install and /api/uninstall endpoints

Implement input validation

all

Add server-side input validation to restrict directory paths.

Implement path sanitization using libraries like pathlib or os.path.normpath

🧯 If You Can't Patch

Restrict network access to the API endpoints using firewall rules.
Implement strict file system permissions to limit directory creation/deletion capabilities.

🔍 How to Verify

Check if Vulnerable:

Check if running lollms-webui version V12 and test API endpoints with path traversal payloads.

Check Version:

Check the version in the application interface or configuration files for 'V12'.

Verify Fix Applied:

Verify the commit hash includes 6d07c8a0dd0a15cc060becc73fda9fe8e788eb23 and test that path traversal attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual API calls to install/uninstall endpoints with suspicious paths
Directory creation/deletion outside expected locations

Network Indicators:

HTTP requests to /api/install or /api/uninstall with path traversal patterns

SIEM Query:

source="webui_logs" AND (uri="/api/install" OR uri="/api/uninstall") AND (path CONTAINS ".." OR path CONTAINS "/")

📊 Metadata

CVE ID: CVE-2024-8898

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

EPSS Score: 0.12% exploit probability (31th percentile)

Published: March 20, 2025

Last Updated: April 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8898, you might also want to check these: