CVE-2024-9597
📋 TL;DR
A path traversal vulnerability in parisneo/lollms v12 allows attackers to delete arbitrary directories on the system by exploiting improper validation in the /wipe_database endpoint. This affects all systems running the vulnerable version of lollms, potentially leading to data loss or system disruption.
💻 Affected Systems
- parisneo/lollms
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system directories, leading to OS corruption, data loss, and service disruption.
Likely Case
Targeted deletion of application data directories, configuration files, or user data causing service outages and data loss.
If Mitigated
Limited impact if endpoint is properly firewalled or access-controlled, with only authorized deletions possible.
🎯 Exploit Status
Exploitation requires crafting HTTP requests with path traversal sequences in the key parameter. No authentication bypass is needed if endpoint is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v12.1 or later
Vendor Advisory: https://huntr.com/bounties/1f6c8908-d486-4141-be55-25bd29933d8b
Restart Required: No
Instructions:
1. Update lollms to version v12.1 or later. 2. Verify the update by checking the version. 3. No restart required as this is a code-level fix.
🔧 Temporary Workarounds
Disable /wipe_database endpoint
allTemporarily disable or block access to the vulnerable endpoint
# Configure web server to block /wipe_database endpoint
# Example for nginx: location /wipe_database { deny all; }
# Example for Apache: <Location /wipe_database> Require all denied </Location>
Implement input validation
allAdd server-side validation to reject path traversal sequences in the key parameter
# Add validation to sanitize key parameter
# Example Python: if '..' in key or '/' in key: return error
# Ensure key is restricted to safe characters only
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the /wipe_database endpoint
- Deploy web application firewall (WAF) rules to detect and block path traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check if running lollms version v12. Attempt to access /wipe_database endpoint with path traversal payloads.Check Version:
Check lollms version in application interface or configuration filesVerify Fix Applied:
Verify lollms version is v12.1 or later. Test that path traversal attempts in the key parameter are properly rejected.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wipe_database containing '..' or '/' sequences in parameters
- File deletion operations on unexpected directories
Network Indicators:
- HTTP POST requests to /wipe_database with unusual parameter values
- Traffic patterns showing directory traversal attempts
SIEM Query:
source="web_logs" AND uri_path="/wipe_database" AND (param_key="*..*" OR param_key="*/*")