CVE-2024-9919 in lollms-webui
Summary
by MITRE • 03/20/2025
A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories without proper authentication.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/09/2025
The vulnerability identified as CVE-2024-9919 represents a critical authentication bypass flaw within the parisneo/lollms-webui V13 application framework. This issue manifests in the uninstall endpoint where the system fails to enforce proper access control mechanisms. The affected API endpoint at /uninstall/{app_name} operates without invoking the essential check_access() function that should validate client_id credentials, creating a significant security gap that allows unauthorized actors to exploit the system's directory deletion capabilities.
The technical implementation of this vulnerability stems from a fundamental failure in the application's security architecture where authentication checks are bypassed during the uninstall process. The check_access() function serves as a critical gatekeeper that should validate client identity and permissions before granting access to sensitive operations. When this function is omitted from the uninstall endpoint, the system operates under the assumption that any incoming request to the /uninstall/{app_name} path should be processed without verification of the requester's authorization status.
This authentication bypass enables attackers to perform unauthorized directory deletions across the system's file structure, potentially leading to complete system compromise or data loss. The operational impact extends beyond simple unauthorized access as attackers can manipulate the application's environment by removing critical directories and application components. This vulnerability directly violates the principle of least privilege and demonstrates a failure in implementing proper access control measures within the application's API endpoints.
The security implications of this flaw align with CWE-285, which addresses improper authorization within software systems, and can be mapped to ATT&CK technique T1078.004 for valid accounts usage and T1486 for data destruction. Attackers can leverage this vulnerability to execute directory deletion operations that may include critical application files, configuration data, or user content. The vulnerability's exploitability is high due to the lack of authentication requirements for a destructive operation, making it particularly dangerous in environments where the application is exposed to untrusted networks or users.
Mitigation strategies should include immediate implementation of the missing check_access() function within the uninstall endpoint to validate client_id credentials before processing directory deletion requests. Security patches should enforce proper authentication for all sensitive API operations, ensuring that only authorized clients can perform uninstall actions. Organizations should also implement comprehensive access control logging to detect unauthorized attempts to access the uninstall endpoint. Additional protective measures include rate limiting for uninstall requests, mandatory authentication tokens for all API endpoints, and regular security audits to identify similar authentication bypass vulnerabilities. The fix must align with security best practices outlined in OWASP API Security Top 10 and should be validated through penetration testing to ensure proper access control enforcement across all application endpoints.