High

ragflow

RCE via /add_llm Endpoint

A remote code execution (RCE) vulnerability was discovered in the `add_llm` function of `llm_app.py` in version 0.11.0. The vulnerability allows attackers to execute arbitrary code by manipulating user-supplied input. The issue has not yet been patched.

Available publicly on Jan 16 2025

8.8

CVE:

CVE-2024-10131

CWE:

77:Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Credit:

byt3bl33d3r
AssessDetect

Unavailable

Remediate
Remediation Steps
  1. Implement comprehensive input validation and sanitization for all user-supplied input.
  2. Avoid using user input directly to instantiate classes or execute code.
  3. Apply the principle of least privilege to limit the impact of potential exploits.
  4. Update to a patched version once available.
  5. Conduct a thorough security review of the codebase to identify and mitigate similar vulnerabilities.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.