CVE-2024-8898
Published: 20 March 2025
Description
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Security Summary
CVE-2024-8898, published on 2025-03-20, is a path traversal vulnerability (CWE-22) affecting the `install` and `uninstall` API endpoints in parisneo/lollms-webui version V12 (Strawberry). The flaw arises from insufficient sanitization of user-supplied input, allowing attackers to traverse directories outside the intended path and create or delete directories with arbitrary paths on the host system. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. Exploitation enables remote creation or deletion of arbitrary directories, granting significant control over the file system and potentially facilitating further compromise such as data exfiltration, persistence, or disruption of services.
Advisories reference a fixing commit at https://github.com/parisneo/lollms-webui/commit/6d07c8a0dd0a15cc060becc73fda9fe8e788eb23, and the issue was reported via Huntr bounties documented at https://huntr.com/bounties/6072371f-0ddc-42e3-9207-1c6d6b18d32f. Security practitioners should apply the patch and review access to affected API endpoints.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing web UI API endpoints directly enables T1190 for initial access; arbitrary directory creation/deletion facilitates T1485 for data destruction and service disruption.