CVE-2024-2029

NONE EPSS 85.1%
Published Apr 10, 20242y ago · Modified Jun 17, 20261w ago
Find Similar
Published Apr 10, 2024 2y ago
Last Modified Jun 17, 2026 1w ago

Description

A command injection vulnerability exists in the `TranscriptEndpoint` of mudler/localai, specifically within the `audioToWav` function used for converting audio files to WAV format for transcription. The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attacker to execute arbitrary commands on the host system. Successful exploitation could lead to unauthorized access, data breaches, or other detrimental impacts, depending on the privileges of the process executing the code.

Threat Intelligence

EPSS Exploit Probability
85.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 1

VendorProductVersionRange
mudlerlocalai* <2.10.0

References 2

  • github.com https://github.com/mudler/localai/commit/31a4c9c9d3abc58de2bdc5305419181c8b33eb1c
    Patch
  • huntr.com https://huntr.com/bounties/e092528a-ce3b-4e66-9b98-3f56d6b276b0
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/mudler/localai/commit/31a4c9c9d3abc58de2bdc5305419181c8b33eb1c
    Patch