CVE-2024-9900: 
Homebrew vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in mudler/localai version v2.21.1, specifically affecting its search functionality. The vulnerability was assigned CVE-2024-9900 and was disclosed on March 20, 2025. The issue affects the LocalAI application, which is an open-source project (NVD).

The vulnerability stems from improper sanitization of user input in the search functionality, which allows for the injection and execution of arbitrary JavaScript code. The severity of this vulnerability has been assessed with a CVSS v3.0 base score of 5.4 (Medium), with the following vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The weakness has been categorized as CWE-115 (Misinterpretation of Input) (NVD).

When exploited, this vulnerability can lead to the execution of malicious scripts in the context of the victim's browser. The potential impacts include compromising user sessions, theft of session cookies, user redirection to malicious websites, and manipulation of the Document Object Model (DOM) (NVD).

A fix has been implemented through the introduction of the bluemonday sanitization library, which has been rolled out more widely across the application. The fix includes sanitizing user input in various components including the search functionality, gallery elements, and error messages (Github Commit).