CVE-2024-12065

Published: Mar 20, 2025Modified: Oct 21, 2025

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: security@huntr.dev (Secondary)

Description

A local file inclusion vulnerability exists in haotian-liu/llava at commit c121f04. This vulnerability allows an attacker to access any file on the system by sending multiple crafted requests to the server. The issue is due to improper input validation in the gradio web UI component.

Affected (1)

Products: Hliu: Llava

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Hliu Llava	Version 2024-05-11

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (1)

https://huntr.com/bounties/0594503c-038f-401c-9127-08be32bfd682

Source: security@huntr.dev

ExploitThird Party Advisory

Timeline

No history available yet.