CVE-2024-55241

CVE-2024-55241 is a code injection vulnerability (CWE-94) affecting the deep-diver LLM-As-Chatbot application prior to commit 99c2c03. The flaw resides in the modelsbyom.py component, enabling remote arbitrary code execution. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and significant impacts on confidentiality, integrity, and availability.

A remote attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network without requiring user interaction. Successful exploitation allows the attacker to execute arbitrary code on the affected system, potentially leading to full compromise including data exfiltration, modification of chatbot behavior, or system takeover.

Advisories, including a detailed Notion page at https://diamond-bath-fd4.notion.site/Remote-Code-Execution-vulnerability-in-load_model-in-deep-diver-LLM-As-Chatbot-14d4a5b4bb28806795e8e5e8ef9ae27b, describe the remote code execution issue in the load_model function of deep-diver LLM-As-Chatbot. Practitioners should update to commit 99c2c03 or later to mitigate the vulnerability.

This vulnerability is particularly relevant to AI/ML deployments, as it targets an LLM-as-chatbot framework, highlighting risks in loading models within untrusted or insufficiently validated environments. No public evidence of real-world exploitation has been reported as of the CVE publication on 2025-02-06.