Parisneo Lollms Unauthenticated Access to Sensitive Socket.IO Events Vulnerability

A vulnerability in the 'lollms_generation_events.py' component of Parisneo Lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The 'add_events' function registers event handlers such as 'generate_text', 'cancel_generation', 'generate_msg', and 'generate_msg_from' without implementing authentication or authorization checks. This oversight enables unauthenticated clients to execute resource-intensive or state-altering operations, potentially leading to denial-of-service, state corruption, and race conditions. Furthermore, the use of global flags for state management in a multi-client environment introduces additional vulnerabilities, allowing one client's actions to impact the server's state and disrupt other clients' operations.

Impact

Exploitation of this vulnerability allows unauthenticated clients to access sensitive Socket.IO events and perform resource-intensive or state-altering operations. This can lead to a denial-of-service condition, where the server becomes unresponsive to legitimate users, and cause state corruption, allowing one client's actions to interfere with another's.

Reproduction

To reproduce this vulnerability, establish a Socket.IO connection to the server without authentication. Once connected, send a 'generate_text' event with a large value for the 'n_predicts' parameter. The server will lock into a long-running task, denying service to other users. Alternatively, connect as an unauthenticated client and send a 'cancel_generation' event, which can disrupt ongoing tasks of other users by improperly resetting the server's busy state.

Remediation

This vulnerability has been fixed in version 2.0.0 of Parisneo Lollms. The update removed the vulnerable Socket.IO event handlers and implemented authentication for the generation logic. State management has also been improved by isolating controls per user and discussion, eliminating the use of global flags.