Home > Vulnerability Database > CVE-2024-10131

Mend.io Vulnerability Database

CVE-2024-10131

Good to know:

Date: October 18, 2024

The `add_llm` function in `llm_app.py` in infiniflow/ragflow version 0.11.0 contains a remote code execution (RCE) vulnerability. The function uses user-supplied input `req['llm_factory']` and `req['llm_name']` to dynamically instantiate classes from various model dictionaries. This approach allows an attacker to potentially execute arbitrary code due to the lack of comprehensive input validation or sanitization. An attacker could provide a malicious value for 'llm_factory' that, when used as an index to these model dictionaries, results in the execution of arbitrary code.

Language: Python

Severity Score

8.8

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-10131

Url: https://huntr.com/bounties/42ae0b27-e851-4b58-a991-f691a437fbaa

Url: https://www.mend.io/vulnerability-database/CVE-2024-10131

Severity Score

8.8

Weakness Type (CWE)

Command Injection

CWE-77

Top Fix

Upgrade Version

Upgrade to version 4991107822144cbea3f5c4896d91a5afb0e7b22f

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-10131

Good to know:

Date: October 18, 2024

Language: Python

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?