CVE-2024-5181

A command injection vulnerability exists in the mudler/localai version 2.14.0. The vulnerability arises from the application's handling of the backend parameter in the configuration file, which is used in the name of the initialized process. An attacker can exploit this vulnerability by manipulating the path of the vulnerable binary file specified in the backend parameter, allowing the execution of arbitrary code on the system. This issue is due to improper neutralization of special elements used in an OS command, leading to potential full control over the affected system.

CVSS

No CVSS.

References

Link	Resource
https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e	Patch
https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e	Patch
https://huntr.com/bounties/c6e3cb58-6fa4-4207-bb92-ae7644174661	Exploit Third Party Advisory
https://huntr.com/bounties/c6e3cb58-6fa4-4207-bb92-ae7644174661	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mudler:localai:2.14.0:*:*:*:*:*:*:*

History

15 Jul 2025, 15:38

Type	Values Removed	Values Added
First Time		Mudler Mudler localai
CPE		cpe:2.3:a:mudler:localai:2.14.0:::::::*
CWE	~~CWE-78~~
References	~~() https://huntr.com/bounties/c6e3cb58-6fa4-4207-bb92-ae7644174661 -~~	() https://huntr.com/bounties/c6e3cb58-6fa4-4207-bb92-ae7644174661 - Exploit, Third Party Advisory
References	~~() https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e -~~	() https://github.com/mudler/localai/commit/1a3dedece06cab1acc3332055d285ac540a47f0e - Patch

26 Jun 2024, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-26 03:15

Updated : 2025-07-15 15:38

NVD link : CVE-2024-5181

Mitre link : CVE-2024-5181

JSON object : View

Products Affected

mudler

localai

CWE

No CWE.

JSON object

Attach tags to CVE-2024-5181

Attach tags to `CVE-2024-5181`