VDB
CVE-2024-48057
CVE-2024-48057
PUBLISHED
CVSS 2.0999999046325684 LOW
localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage.
EPSS 0.12% · 30.1th percentile
Risk Scores
CVSS v4.0
2.0999999046325684
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
EPSS Score
0.12%
30.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | mudler/LocalAI | 0, 0 |
| n/a | n/a | n/a, n/a |
| mudler | localai | 0, 0 |
| mudler | localai | 0, 0 |
Timeline
- Jan 21, 1970 GitHub Gist PoC
- Nov 4, 2024 CVE Published
- Nov 5, 2024 EPSS Score
- Nov 5, 2024 PoC Published
- Nov 6, 2024 Coalition ESS Score
- Nov 23, 2024 EPSS Score
- Dec 12, 2024 EPSS Score
- Dec 30, 2024 EPSS Score
- Jan 17, 2025 EPSS Score
- Feb 3, 2025 EPSS Score
- Feb 21, 2025 EPSS Score
- Mar 11, 2025 EPSS Score
References
- https://rumbling-slice-eb0.notion.site/LocalAI-deleted-model-with-storage-XSS-CSRF-vulnerability-in-mudler-localai-101e3cda9e8c80e0ac12fe418d5dd982?pvs=4 url
- https://gist.github.com/AfterSnows/1bd7ee5a3a42dbb5f5ff67f7f9c8ccec url
- https://nvd.nist.gov/vuln/detail/CVE-2024-48057 advisory
- https://github.com/mudler/localai/commit/a1634b219a4e52813e70ff07e6376a01449c4515 url
- https://github.com/advisories/GHSA-ghx4-cgxw-7h9p advisory
- https://github.com/mudler/LocalAI package
- https://github.com/mudler/LocalAI/blob/master/core/http/views/index.html#L75 url