Critical severityNVD Advisory· Published Apr 10, 2024· Updated Aug 1, 2024

Command Injection in mudler/localai

CVE-2024-2029

Description

A command injection vulnerability exists in the TranscriptEndpoint of mudler/localai, specifically within the audioToWav function used for converting audio files to WAV format for transcription. The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attacker to execute arbitrary commands on the host system. Successful exploitation could lead to unauthorized access, data breaches, or other detrimental impacts, depending on the privileges of the process executing the code.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/go-skynet/LocalAIGo	< 2.10.0	2.10.0

Affected products

Mudler/Mudler/localaiv5
Range: unspecified

Patches

31a4c9c9d3ab

Fix Command Injection Vulnerability (#1778)

https://github.com/mudler/localaiOussamaFeb 29, 2024via ghsa

commit

1 file changed · +7 −7

backend/go/transcribe/transcript.go+7 −7 modified

@@ -11,21 +11,21 @@ import (
 	"github.com/go-skynet/LocalAI/core/schema"
 )
 
-func sh(c string) (string, error) {
-	cmd := exec.Command("/bin/sh", "-c", c)
+func runCommand(command []string) (string, error) {
+	cmd := exec.Command(command[0], command[1:]...)
 	cmd.Env = os.Environ()
-	o, err := cmd.CombinedOutput()
-	return string(o), err
+	out, err := cmd.CombinedOutput()
+	return string(out), err
 }
 
-// AudioToWav converts audio to wav for transcribe. It bashes out to ffmpeg
+// AudioToWav converts audio to wav for transcribe.
 // TODO: use https://github.com/mccoyst/ogg?
 func audioToWav(src, dst string) error {
-	out, err := sh(fmt.Sprintf("ffmpeg -i %s -format s16le -ar 16000 -ac 1 -acodec pcm_s16le %s", src, dst))
+    command := []string{"ffmpeg", "-i", src, "-format", "s16le", "-ar", "16000", "-ac", "1", "-acodec", "pcm_s16le", dst}
+	out, err := runCommand(command)
 	if err != nil {
 		return fmt.Errorf("error: %w out: %s", err, out)
 	}
-
 	return nil
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-wx43-g55g-2jf4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-2029ghsaADVISORY
github.com/mudler/localai/commit/31a4c9c9d3abc58de2bdc5305419181c8b33eb1cghsaWEB
huntr.com/bounties/e092528a-ce3b-4e66-9b98-3f56d6b276b0ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000