CVE-2024-8982

MEDIUM

OpenLLM 0.6.10 - LFI

Title source: llm

Description

A Local File Inclusion (LFI) vulnerability in OpenLLM version 0.6.10 allows attackers to include files from the local server through the web application. This flaw could expose internal server files and potentially sensitive information such as configuration files, passwords, and other critical data. Unauthorized access to critical server files, such as configuration files, user credentials (/etc/passwd), and private keys, can lead to a complete compromise of the system's security. Attackers could leverage the exposed information to further penetrate the network, exfiltrate data, or escalate privileges within the environment.

References (1)

[Exploit, Third Party Advisory] https://huntr.com/bounties/b7bdc9a1-51ac-402a-8e6e-0d977699aca6

Scores

CVSS v3 6.2

EPSS 0.0033

EPSS Percentile 55.5%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-29

Status published

Products (1)

bentoml/bentoml/openllm unspecified - latest

Published Mar 20, 2025

Tracked Since Feb 18, 2026