CVE-2024-12065 is a path traversal vulnerability categorized under CWE-22 found in the haotian-liu/llava project, specifically within the gradio web UI component. The flaw stems from improper limitation of pathname inputs, allowing attackers to craft requests that bypass directory restrictions and access arbitrary files on the underlying system. This local file inclusion (LFI) vulnerability can be exploited remotely without requiring authentication or user interaction, as the gradio component accepts network requests directly. By manipulating file path parameters, an attacker can read sensitive files such as configuration files, credentials, or other critical data stored on the server. The vulnerability was identified at commit c121f04, but affected versions are unspecified, indicating that users should assume all current versions prior to patching are vulnerable. The CVSS v3.0 base score is 7.5, reflecting network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high confidentiality impact (C:H) with no impact on integrity or availability. No public exploits have been reported yet, but the ease of exploitation and potential data exposure make this a significant threat. The vulnerability highlights the importance of robust input validation and secure file handling in web UI components, especially those exposed to external networks.

For European organizations, exploitation of CVE-2024-12065 could lead to unauthorized disclosure of sensitive internal files, including configuration files, credentials, or proprietary data, potentially resulting in data breaches and compliance violations under GDPR. The lack of authentication and user interaction requirements means attackers can remotely exploit this vulnerability with minimal effort, increasing the risk of widespread compromise. Organizations using haotian-liu/llava or integrating the gradio web UI component in AI/ML workflows or web services are particularly at risk. The exposure of sensitive files could facilitate further attacks such as privilege escalation, lateral movement, or targeted espionage. Given the growing adoption of AI and machine learning tools in European industries, this vulnerability could impact sectors like finance, healthcare, and research institutions that rely on these technologies. Additionally, the breach of confidentiality could damage organizational reputation and lead to regulatory penalties.

European organizations should immediately audit their deployments of haotian-liu/llava and the gradio web UI component to identify vulnerable versions. Since no official patches are currently linked, organizations should implement strict input validation and sanitization on all file path parameters to ensure they cannot traverse directories outside intended boundaries. Employ allowlisting of permissible file paths and enforce least privilege file system permissions to limit file access scope. Network-level protections such as web application firewalls (WAFs) can be configured to detect and block path traversal patterns in HTTP requests. Monitoring and logging access to sensitive files can help detect exploitation attempts early. Organizations should also isolate the affected components in segmented network zones to reduce exposure. Finally, maintain vigilance for vendor updates or patches and apply them promptly once available.