CyberAlerts

CVE-2025-0190

Description: In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of `Text` objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests for an extended period while processing and returning these objects. This vulnerability can be exploited repeatedly, leading to a complete denial of service.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE

March 20th, 2025 (4 months ago)

CVE-2025-0189

Denial of Service in aimhubio/aim

Description: In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to other requests while processing the large image, leading to a denial of service condition.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE

March 20th, 2025 (4 months ago)

CVE-2025-0187

Denial of Service (DoS) by Sending Large Filename at File Upload Endpoint in gradio-app/gradio

Description: A Denial of Service (DoS) vulnerability was discovered in the file upload feature of gradio-app/gradio version 0.39.1. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. By sending a payload with an excessively large filename, the server becomes overwhelmed and unresponsive, leading to unavailability for legitimate users.

CVSS: HIGH (7.5)

EPSS Score: 0.08%

Source: CVE

March 20th, 2025 (4 months ago)

CVE-2025-0185

Pandas Query Injection in langgenius/dify

Description: A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function `vn.get_training_plan_generic(df_information_schema)`, which does not properly sanitize user inputs before executing queries using the Pandas library. This can potentially lead to Remote Code Execution (RCE) if exploited.

CVSS: HIGH (8.8)

EPSS Score: 0.24%

Source: CVE

March 20th, 2025 (4 months ago)

CVE-2025-0182

Denial of Service in danswer-ai/danswer

Description: A vulnerability in danswer-ai/danswer version 0.9.0 allows for denial of service through memory exhaustion. The issue arises from the use of a vulnerable version of the starlette package (<=0.49) via fastapi, which was patched in fastapi version 0.115.3. The vulnerability can be exploited by sending multiple requests to the /auth/saml/callback endpoint, leading to uncontrolled memory consumption and eventual denial of service.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE

March 20th, 2025 (4 months ago)

CVE-2024-9919

Missing Authentication Check in parisneo/lollms-webui

Description: A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories without proper authentication.

CVSS: HIGH (8.4)

EPSS Score: 0.03%

Source: CVE

March 20th, 2025 (4 months ago)

CVE-2024-9847

Cross-Site Request Forgery (CSRF) in flatpressblog/flatpress

Description: FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. The attacker can craft a malicious link or script that, when clicked by an authenticated user, will send a request to the FlatPress CMS server to perform the desired action on behalf of the victim user. Since the request is authenticated, the server will process it as if it were initiated by the legitimate user, effectively allowing the attacker to perform unauthorized actions. This vulnerability is fixed in version 1.4.dev.

CVSS: HIGH (8.0)

EPSS Score: 0.02%

Source: CVE

March 20th, 2025 (4 months ago)

CVE-2024-9699

Cross-Site Scripting (XSS) in flatpressblog/flatpress

Description: A vulnerability in the file upload functionality of the FlatPress CMS admin panel (version latest) allows an attacker to upload a file with a JavaScript payload disguised as a filename. This can lead to a Cross-Site Scripting (XSS) attack if the uploaded file is accessed by other users. The issue is fixed in version 1.4.dev.

CVSS: HIGH (7.5)

EPSS Score: 0.02%

Source: CVE

March 20th, 2025 (4 months ago)

CVE-2024-9606

Improper Output Neutralization for Logs in berriai/litellm

Description: In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerability where the API key masking code only masks the first 5 characters of the key. This results in the leakage of almost the entire API key in the logs, exposing a significant amount of the secret key. The issue affects version v1.44.9.

CVSS: HIGH (7.5)

EPSS Score: 0.04%

Source: CVE

March 20th, 2025 (4 months ago)

CVE-2024-9597

Path Traversal in parisneo/lollms

Description: A Path Traversal vulnerability exists in the `/wipe_database` endpoint of parisneo/lollms version v12, allowing an attacker to delete any directory on the system. The vulnerability arises from improper validation of the `key` parameter, which is used to construct file paths. An attacker can exploit this by sending a specially crafted HTTP request to delete arbitrary directories.

CVSS: HIGH (7.1)

EPSS Score: 0.07%

Source: CVE

March 20th, 2025 (4 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-0190	Denial of Service in aimhubio/aim Description: In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of `Text` objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests for an extended period while processing and returning these objects. This vulnerability can be exploited repeatedly, leading to a complete denial of service. CVSS: HIGH (7.5) EPSS Score: 0.05% Source: CVE March 20th, 2025 (4 months ago)
CVE-2025-0189	Denial of Service in aimhubio/aim Description: In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to other requests while processing the large image, leading to a denial of service condition. CVSS: HIGH (7.5) EPSS Score: 0.05% Source: CVE March 20th, 2025 (4 months ago)
CVE-2025-0187	Denial of Service (DoS) by Sending Large Filename at File Upload Endpoint in gradio-app/gradio Description: A Denial of Service (DoS) vulnerability was discovered in the file upload feature of gradio-app/gradio version 0.39.1. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. By sending a payload with an excessively large filename, the server becomes overwhelmed and unresponsive, leading to unavailability for legitimate users. CVSS: HIGH (7.5) EPSS Score: 0.08% Source: CVE March 20th, 2025 (4 months ago)
CVE-2025-0185	Pandas Query Injection in langgenius/dify Description: A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function `vn.get_training_plan_generic(df_information_schema)`, which does not properly sanitize user inputs before executing queries using the Pandas library. This can potentially lead to Remote Code Execution (RCE) if exploited. CVSS: HIGH (8.8) EPSS Score: 0.24% Source: CVE March 20th, 2025 (4 months ago)
CVE-2025-0182	Denial of Service in danswer-ai/danswer Description: A vulnerability in danswer-ai/danswer version 0.9.0 allows for denial of service through memory exhaustion. The issue arises from the use of a vulnerable version of the starlette package (<=0.49) via fastapi, which was patched in fastapi version 0.115.3. The vulnerability can be exploited by sending multiple requests to the /auth/saml/callback endpoint, leading to uncontrolled memory consumption and eventual denial of service. CVSS: HIGH (7.5) EPSS Score: 0.05% Source: CVE March 20th, 2025 (4 months ago)
CVE-2024-9919	Missing Authentication Check in parisneo/lollms-webui Description: A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories without proper authentication. CVSS: HIGH (8.4) EPSS Score: 0.03% Source: CVE March 20th, 2025 (4 months ago)
CVE-2024-9847	Cross-Site Request Forgery (CSRF) in flatpressblog/flatpress Description: FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. The attacker can craft a malicious link or script that, when clicked by an authenticated user, will send a request to the FlatPress CMS server to perform the desired action on behalf of the victim user. Since the request is authenticated, the server will process it as if it were initiated by the legitimate user, effectively allowing the attacker to perform unauthorized actions. This vulnerability is fixed in version 1.4.dev. CVSS: HIGH (8.0) EPSS Score: 0.02% Source: CVE March 20th, 2025 (4 months ago)
CVE-2024-9699	Cross-Site Scripting (XSS) in flatpressblog/flatpress Description: A vulnerability in the file upload functionality of the FlatPress CMS admin panel (version latest) allows an attacker to upload a file with a JavaScript payload disguised as a filename. This can lead to a Cross-Site Scripting (XSS) attack if the uploaded file is accessed by other users. The issue is fixed in version 1.4.dev. CVSS: HIGH (7.5) EPSS Score: 0.02% Source: CVE March 20th, 2025 (4 months ago)
CVE-2024-9606	Improper Output Neutralization for Logs in berriai/litellm Description: In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerability where the API key masking code only masks the first 5 characters of the key. This results in the leakage of almost the entire API key in the logs, exposing a significant amount of the secret key. The issue affects version v1.44.9. CVSS: HIGH (7.5) EPSS Score: 0.04% Source: CVE March 20th, 2025 (4 months ago)
CVE-2024-9597	Path Traversal in parisneo/lollms Description: A Path Traversal vulnerability exists in the `/wipe_database` endpoint of parisneo/lollms version v12, allowing an attacker to delete any directory on the system. The vulnerability arises from improper validation of the `key` parameter, which is used to construct file paths. An attacker can exploit this by sending a specially crafted HTTP request to delete arbitrary directories. CVSS: HIGH (7.1) EPSS Score: 0.07% Source: CVE March 20th, 2025 (4 months ago)