VYPR
Medium severity6.3OSV Advisory· Published Nov 26, 2024· Updated Jun 17, 2026

CVE-2024-53844

CVE-2024-53844

Description

E.D.D.I (Enhanced Dialog Driven Interface) is a middleware to connect and manage LLM API bots. A path traversal vulnerability exists in the backup export functionality of EDDI, as implemented in RestExportService.java. This vulnerability allows an attacker to access sensitive files on the server by manipulating the botFilename parameter in requests. The application fails to sanitize user input, enabling malicious inputs such as ..%2f..%2fetc%2fpasswd to access arbitrary files. However, the severity of this vulnerability is significantly limited because EDDI typically runs within a Docker container, which provides additional layers of isolation and restricted permissions. As a result, while this vulnerability exposes files within the container, it does not inherently threaten the underlying host system or other containers. A patch is required to sanitize and validate the botFilename input parameter. Users should ensure they are using version 5.4 which contains this patdch. For temporary mitigation, access to the vulnerable endpoint should be restricted through firewall rules or authentication mechanisms.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Labsai/EddiOSV2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <5.4

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.