RCE via /add_llm Endpoint
A remote code execution (RCE) vulnerability was discovered in the `add_llm` function of `llm_app.py` in version 0.11.0. The vulnerability allows attackers to execute arbitrary code by manipulating user-supplied input. The issue has not yet been patched.
Available publicly on Jan 16 2025
Remediation Steps
- Implement comprehensive input validation and sanitization for all user-supplied input.
- Avoid using user input directly to instantiate classes or execute code.
- Apply the principle of least privilege to limit the impact of potential exploits.
- Update to a patched version once available.
- Conduct a thorough security review of the codebase to identify and mitigate similar vulnerabilities.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have 624 related security advisories that are available with Sightline Premium.