VYPR
← All advisories
High severityNVD Advisory· Published Jun 6, 2024· Updated Aug 1, 2024

Path Traversal in parisneo/lollms

CVE-2024-3429

Description

A path traversal vulnerability exists in the parisneo/lollms application, specifically within the sanitize_path_from_endpoint and sanitize_path functions in lollms_core\lollms\security.py. This vulnerability allows for arbitrary file reading when the application is running on Windows. The issue arises due to insufficient sanitization of user-supplied input, enabling attackers to bypass the path traversal protection mechanisms by crafting malicious input. Successful exploitation could lead to unauthorized access to sensitive files, information disclosure, and potentially a denial of service (DoS) condition by including numerous large or resource-intensive files. This vulnerability affects the latest version prior to 9.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal in parisneo/lollms on Windows allows arbitrary file read via insufficient sanitization, leading to information disclosure and potential DoS.

Vulnerability

Description

A path traversal vulnerability exists in the parisneo/lollms application, specifically within the sanitize_path_from_endpoint and sanitize_path functions in lollms_core\lollms\security.py [1]. The issue arises due to insufficient sanitization of user-supplied input, enabling attackers to bypass path traversal protection mechanisms when the application is running on Windows [3].

Exploitation

Attackers can craft malicious input to navigate outside restricted directories, allowing arbitrary file reading. The vulnerability is exploitable without requiring authentication, as the endpoints that invoke these functions do not enforce access controls on file paths [1][3].

Impact

Successful exploitation could lead to unauthorized access to sensitive files, information disclosure, and potentially a denial of service (DoS) condition by including numerous large or resource-intensive files [1].

Mitigation

The vulnerability affects all versions prior to 9.6. Users should update to the latest patched version to mitigate the risk [1].

References
  1. NVD - CVE-2024-3429
  2. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
lollmsPyPI
< 9.5.09.5.0

Affected products

2
  • ghsa-coords
    pkg:pypi/lollms
    Range: < 9.5.0
  • parisneo/parisneo/lollmsv5
    Range: unspecified

Patches

1
f4424cfc3d6d
https://github.com/parisneo/lollmsvia ghsa
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.