CVE-2024-9919
📋 TL;DR
This vulnerability allows unauthenticated attackers to delete directories via the uninstall API endpoint in parisneo/lollms-webui. Attackers can exploit missing authentication checks to perform unauthorized file system operations. All users running vulnerable versions of lollms-webui are affected.
💻 Affected Systems
- parisneo/lollms-webui
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary directory deletion, potentially leading to data loss, service disruption, or enabling further attacks by removing security controls.
Likely Case
Unauthorized deletion of application directories causing service disruption and data loss for the lollms-webui application.
If Mitigated
No impact if proper authentication is enforced or the vulnerable endpoint is disabled.
🎯 Exploit Status
Exploitation requires sending HTTP requests to the /uninstall/{app_name} endpoint without authentication. No special tools or knowledge needed beyond basic HTTP request crafting.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after V13 (check latest release)
Vendor Advisory: https://huntr.com/bounties/5c00f56b-32a8-4e26-a4e3-de64f139da6b
Restart Required: No
Instructions:
1. Update to the latest version of lollms-webui. 2. Verify the check_access() function is called in the uninstall endpoint. 3. Test that uninstall requests require proper authentication.
🔧 Temporary Workarounds
Disable uninstall endpoint
allRemove or disable the /uninstall/{app_name} API endpoint in the web server configuration
# Edit your web server config to block /uninstall/* routes
# Example for nginx: location ~ ^/uninstall/ { deny all; }
Add authentication middleware
allImplement authentication checks before the uninstall endpoint handler
# Add authentication decorator or middleware to the uninstall route
# Example Python: @app.route('/uninstall/<app_name>', methods=['DELETE'])
# @require_auth
# def uninstall_app(app_name):
🧯 If You Can't Patch
- Implement network-level access controls to restrict access to the lollms-webui API endpoints
- Monitor and alert on uninstall API calls in application logs
🔍 How to Verify
Check if Vulnerable:
Test if you can access /uninstall/test without authentication. If it returns success or attempts deletion, you're vulnerable.Check Version:
Check the lollms-webui version in the application interface or configuration filesVerify Fix Applied:
Attempt to access /uninstall/test without authentication. Should return 401/403 error or redirect to login.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /uninstall/* endpoints without authentication headers
- Directory deletion operations from web UI processes
Network Indicators:
- HTTP DELETE requests to /uninstall/* paths
- Unusual spike in API requests to uninstall endpoints
SIEM Query:
source="web_server_logs" AND (uri_path="/uninstall/*" AND NOT (user_agent="authenticated" OR auth_token=*))