Parisneo Lollms Unauthenticated File Upload Vulnerability Allowing Denial-of-Service

A vulnerability exists in Parisneo Lollms versions through 2.2.0, allowing unauthenticated users to upload files via the '/api/files/extract-text' endpoint. This endpoint lacks authentication, contrary to the application's stated security policies, and does not require a token for access. The vulnerability can lead to denial-of-service through resource exhaustion, as uploaded files are processed without any access controls, potentially disclosing sensitive information.

Impact

Exploitation of this vulnerability can cause a denial-of-service by exhausting server resources, as uploaded files are processed without authentication, consuming CPU and memory. Additionally, the vulnerability allows for information disclosure by processing sensitive files without access control, violating the application's documented security policies.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/files/extract-text' endpoint without authentication. Include a file in the request. The server will respond with a status code of 200 and the extracted text content, indicating successful exploitation.

Remediation

The vulnerability has been fixed in version 2.2.0 by adding authentication requirements to the endpoint. Users should update to this version.