Vulnerability Description
A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioToWav` function used for converting audio files to WAV format for transcription. The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attacker to execute arbitrary commands on the host system. Successful exploitation could lead to unauthorized access, data breaches, or other detrimental impacts, depending on the privileges of the process executing the code.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mudler | Localai | < 2.10.0 |
Related Weaknesses (CWE)
References
- https://github.com/mudler/localai/commit/31a4c9c9d3abc58de2bdc5305419181c8b33eb1Patch
- https://huntr.com/bounties/e092528a-ce3b-4e66-9b98-3f56d6b276b0ExploitThird Party Advisory
- https://github.com/mudler/localai/commit/31a4c9c9d3abc58de2bdc5305419181c8b33eb1Patch
- https://huntr.com/bounties/e092528a-ce3b-4e66-9b98-3f56d6b276b0ExploitThird Party Advisory
FAQ
What is CVE-2024-2029?
CVE-2024-2029 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioToWav` function used for converting audio files to WAV format for transcription. T...
How severe is CVE-2024-2029?
CVE-2024-2029 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-2029?
Check the references section above for vendor advisories and patch information. Affected products include: Mudler Localai.