GHSA-297x-2qf3-jrj3

Source

https://github.com/advisories/GHSA-297x-2qf3-jrj3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-297x-2qf3-jrj3/GHSA-297x-2qf3-jrj3.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-297x-2qf3-jrj3

Aliases

CVE-2024-23730

Published

2024-01-21T18:30:34Z

Modified

2025-05-30T16:45:57.771381Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Unsafe yaml deserialization in llama-hub

Details

The OpenAPI and ChatGPT plugin loaders in LlamaHub (aka llama-hub) before 0.0.67 allow attackers to execute arbitrary code because safe_load is not used for YAML.

Database specific

{
    "nvd_published_at": "2024-01-21T17:15:44Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-22T21:23:34Z"
}

References

Affected packages

PyPI / llama-hub

Package

Name: llama-hub; View open source insights on deps.dev
Purl: pkg:pypi/llama-hub

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.67

Affected versions

0.*

0.0.1a1

0.0.1a2

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.0.9

0.0.10

0.0.11

0.0.12

0.0.13

0.0.14

0.0.15

0.0.16

0.0.18

0.0.19

0.0.21

0.0.22

0.0.23

0.0.24

0.0.24.post1

0.0.25

0.0.26

0.0.27

0.0.29

0.0.30

0.0.31

0.0.32

0.0.33

0.0.34

0.0.35

0.0.36

0.0.37

0.0.38

0.0.39

0.0.40

0.0.41

0.0.42

0.0.43

0.0.44

0.0.45

0.0.46

0.0.47

0.0.47.post1

0.0.48

0.0.50

0.0.52

0.0.54

0.0.55

0.0.55.post1

0.0.56

0.0.56.post1

0.0.57

0.0.58

0.0.58.post1

0.0.59

0.0.60

0.0.61

0.0.62

0.0.64

0.0.65

0.0.66