CVE-2024-2029
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-2029
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-2029.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-2029
- Aliases
- Published
- 2024-04-10T17:15:53Z
- Modified
- 2025-05-19T10:16:08.805672Z
- Summary
- [none]
- Details
-
A command injection vulnerability exists in the
TranscriptEndpointof mudler/localai, specifically within theaudioToWavfunction used for converting audio files to WAV format for transcription. The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attacker to execute arbitrary commands on the host system. Successful exploitation could lead to unauthorized access, data breaches, or other detrimental impacts, depending on the privileges of the process executing the code. - References
Affected packages
Git / github.com/mudler/localai
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mudler/localai
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
v.*
v.1.24.0
v0.*
v0.1
v0.10.0
v0.2
v0.3
v0.4
v0.5
v0.6
v0.7
v0.8
v0.8.1
v0.9
v0.9.1
v0.9.2
v1.*
v1.0
v1.1.0
v1.10.0
v1.10.1
v1.11.0
v1.11.1
v1.12.0
v1.13.0
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.16.0
v1.17.0
v1.17.1
v1.18.0
v1.19.0
v1.19.1
v1.19.2
v1.2.0
v1.20.0
v1.20.1
v1.21.0
v1.22.0
v1.23.0
v1.23.1
v1.23.2
v1.24.1
v1.25.0
v1.3.0
v1.3.1
v1.3.2
v1.30.0
v1.4.0
v1.40.0
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.7.0
v1.7.1
v1.8.0
v1.8.1
v1.9.0
v1.9.1
v2.*
v2.0.0
v2.0.0_beta
v2.1.0
v2.2.0
v2.3.0
v2.3.1
v2.4.0
v2.4.1
v2.5.0
v2.5.1
v2.6.0
v2.6.1
v2.7.0
v2.8.0
v2.8.1
v2.8.2
v2.9.0