A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `os` module using the `_frozen_importlib.BuiltinImporter` class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10.
Metrics
Affected Vendors & Products
Advisories
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2025-6967 | A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `os` module using the `_frozen_importlib.BuiltinImporter` class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10. |
Github GHSA |
GHSA-jccx-m9v4-9hwh | LoLLMS Code Injection vulnerability |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Thu, 20 Mar 2025 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 20 Mar 2025 10:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `os` module using the `_frozen_importlib.BuiltinImporter` class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10. | |
| Title | Remote Code Execution in Calculate Function in parisneo/lollms | |
| Weaknesses | CWE-94 | |
| References |
| |
| Metrics |
cvssV3_0
|
Status: PUBLISHED
Assigner: @huntr_ai
Published:
Updated: 2025-03-20T18:20:14.175Z
Reserved: 2024-07-22T19:06:06.816Z
Link: CVE-2024-6982
Updated: 2025-03-20T17:49:54.360Z
Status : Received
Published: 2025-03-20T10:15:34.740
Modified: 2025-03-20T10:15:34.740
Link: CVE-2024-6982
No data.
OpenCVE Enrichment
Updated: 2025-07-12T22:01:23Z
EUVD
Github GHSA