CVE-2024-6868

mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. When model configurations specify additional files as archives (e.g., .tar), these archives are automatically extracted after downloading. This behavior can be exploited to perform a 'tarslip' attack, allowing files to be written to arbitrary locations on the server, bypassing checks that normally restrict files to the models directory. This vulnerability can lead to remote code execution (RCE) by overwriting backend assets used by the server.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/mudler/localai/commit/a181dd0ebc5d3092fc50f61674d552604fe8ef9c	Patch
https://huntr.com/bounties/752d2376-2d9a-4e17-b462-3c267f9dd229	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mudler:localai:2.17.1:*:*:*:*:*:*:*

History

15 Oct 2025, 13:15

Type	Values Removed	Values Added
CWE	~~CWE-20~~	CWE-59

Information

Published : 2024-10-29 13:15

Updated : 2025-10-15 13:15

NVD link : CVE-2024-6868

Mitre link : CVE-2024-6868

CVE.ORG link : CVE-2024-6868

JSON object : View

Products Affected

mudler

localai

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

NVD-CWE-noinfo

{"id": "CVE-2024-6868", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-10-29T13:15:08.473", "references": [{"url": "https://github.com/mudler/localai/commit/a181dd0ebc5d3092fc50f61674d552604fe8ef9c", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/752d2376-2d9a-4e17-b462-3c267f9dd229", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-59"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. When model configurations specify additional files as archives (e.g., .tar), these archives are automatically extracted after downloading. This behavior can be exploited to perform a 'tarslip' attack, allowing files to be written to arbitrary locations on the server, bypassing checks that normally restrict files to the models directory. This vulnerability can lead to remote code execution (RCE) by overwriting backend assets used by the server."}, {"lang": "es", "value": "La versi\u00f3n 2.17.1 de mudler/LocalAI permite la escritura arbitraria de archivos debido al manejo inadecuado de la extracci\u00f3n autom\u00e1tica de archivos. Cuando las configuraciones de modelos especifican archivos adicionales como archivos (por ejemplo, .tar), estos archivos se extraen autom\u00e1ticamente despu\u00e9s de la descarga. Este comportamiento se puede aprovechar para realizar un ataque \"tarslip\", que permite escribir archivos en ubicaciones arbitrarias en el servidor, evitando las comprobaciones que normalmente restringen los archivos al directorio de modelos. Esta vulnerabilidad puede provocar la ejecuci\u00f3n remota de c\u00f3digo (RCE) al sobrescribir los activos del backend utilizados por el servidor."}], "lastModified": "2025-10-15T13:15:50.560", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mudler:localai:2.17.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CDCAF2D5-46FD-4D8E-B65B-9BE9FDD5D686"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}