parisneo lollms Remote Code Execution Vulnerability in Calculator Function
Vulnerability
A remote code execution vulnerability has been identified in parisneo/lollms version 9.8. The issue arises in the Calculate function, where Python's eval() function is used to evaluate mathematical expressions. This evaluation occurs within a sandbox that disables built-in functions and only permits certain math module functions. However, the sandbox can be bypassed by importing the os module through the BuiltinImporter class, enabling the execution of arbitrary commands on the server. The vulnerability has been addressed in version 9.10.
Impact
Exploitation of this vulnerability allows for remote code execution on the server where lollms is running.
Reproduction
The vulnerability can be reproduced by calling the Calculate function with a crafted expression that uses the os module to execute commands. This can be done by importing the os module through the sandbox's allowed functions, effectively bypassing the sandbox restrictions.
Remediation
Users are advised to update to lollms version 9.10 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.