基础信息
项目名称:go-skynet/LocalAI
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1721229158603816960/1726366557187563520
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| Langchain | 注入 | MPS-10wl-9hiu | CVE-2023-32785 | 严重 |
| NumPy 代码问题漏洞 | 空指针取消引用 | MPS-2021-32278 | CVE-2021-41495 | 中危 |
| Certifi 存在数据真实性验证不充分漏洞 | 对数据真实性的验证不充分 | MPS-2022-1918 | CVE-2022-23491 | 中危 |
| LangChain 安全漏洞 | SSRF | MPS-3lbr-e46h | CVE-2023-46229 | 高危 |
| LangChain 注入漏洞 | 注入 | MPS-3udo-v1n0 | CVE-2023-36188 | 严重 |
| urllib3 安全漏洞 | MPS-46py-nxai | CVE-2023-45803 | 中危 | |
| AIOHTTP | HTTP请求走私 | MPS-5tgd-mv7y | CVE-2023-47627 | 中危 |
| PyPI仓库charset-normalizer组件包内嵌恶意代码 | 内嵌恶意代码 | MPS-67h0-j1fr | 高危 | |
| Langchain 安全漏洞 | MPS-6i1z-gkra | CVE-2023-34540 | 严重 | |
| LangChain 代码注入漏洞 | 代码注入 | MPS-7jdv-a49n | CVE-2023-36281 | 严重 |
| langchain-0.0.194代码注入漏洞 | 代码注入 | MPS-84rc-nja1 | CVE-2023-36095 | 严重 |
| Langchain 安全漏洞 | 注入 | MPS-a49n-xm37 | CVE-2023-32786 | 高危 |
| Certifi 数据伪造问题漏洞 | 对数据真实性的验证不充分 | MPS-ck78-r6zg | CVE-2023-37920 | 严重 |
| langchain-0.0.231代码注入漏洞 | 代码注入 | MPS-fv9p-y147 | CVE-2023-38860 | 严重 |
| Requests Proxy-Authorization 标头泄露漏洞 | 未授权敏感信息泄露 | MPS-hr61-tzey | CVE-2023-32681 | 中危 |
| LangChain SQL注入漏洞 | SQL注入 | MPS-p829-6f3r | CVE-2023-36189 | 高危 |
| aiohttp 环境问题漏洞 | HTTP请求走私 | MPS-ptqs-e23v | CVE-2023-37276 | 高危 |
| urllib3 HTTP重定向信息泄露漏洞 | 未授权敏感信息泄露 | MPS-s0oy-afbw | CVE-2023-43804 | 高危 |
| LangChain 安全漏洞 | MPS-s5ul-own1 | CVE-2023-36258 | 严重 | |
| LangChain 安全漏洞 | MPS-slg6-50up | CVE-2023-44467 | 严重 | |
| Axios XSRF-TOKEN CSRF漏洞 | 侵犯隐私 | MPS-v3q7-sjd2 | CVE-2023-45857 | 高危 |
| llamaindex project注入漏洞 | 注入 | MPS-vqf1-blj0 | CVE-2023-39662 | 严重 |
| langchain注入漏洞 | 注入 | MPS-vszg-p7q8 | CVE-2023-38896 | 严重 |
| langchain注入漏洞 | 注入 | MPS-x9qb-uct8 | CVE-2023-39659 | 严重 |
| LangChain 安全漏洞 | 代码注入 | MPS-ze2c-1nou | CVE-2023-39631 | 严重 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| charset-normalizer | 3.1.0 | 间接依赖 | 强烈建议修复 | |
| certifi | 2022.12.7 | 2023.7.22 | 间接依赖 | 建议修复 |
| urllib3 | 1.26.15 | 1.26.18 | 间接依赖 | 建议修复 |
| langchain | 0.0.234 | 0.0.329 | 间接依赖 | 建议修复 |
| aiohttp | 3.8.4 | 3.8.6 | 间接依赖 | 建议修复 |
| langchain | 0.0.159 | 0.0.329 | 间接依赖 | 建议修复 |
| requests | 2.29.0 | 2.31.0 | 间接依赖 | 建议修复 |
| langchain | 0.0.160 | 0.0.329 | 间接依赖 | 建议修复 |
| axios | 0.26.1 | 1.6.0 | 间接依赖 | 建议修复 |
| numpy | 1.24.3 | 间接依赖 | 可选修复 | |
| llama-index | 0.6.2 | 间接依赖 | 可选修复 | |
| tslib | 2.5.0 | 间接依赖 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| Apache-2.0 | 36 | 低 |
| MIT | 127 | 低 |
| BSD-3-Clause | 26 | 低 |
| BSD-2-Clause | 4 | 低 |
| ISC | 14 | 低 |
| MPL-2.0 | 4 | 低 |
| 自定义许可证 | 3 | 低 |
| CC0-1.0 | 1 | 低 |
| 0BSD | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| gopkg.in/yaml.v2 | v2.4.0 | 直接依赖 | go |
| typeorm | 0.3.15 | 直接依赖 | npm |
| github.com/imdario/mergo | v0.3.16 | 直接依赖 | go |
| Requests | 2.31.0 | 间接依赖 | pip |
| dotenv | 16.0.3 | 间接依赖 | npm |
| retry | 0.13.1 | 间接依赖 | npm |
| github.com/go-task/slim-sprig | v0.0.0-20230315185526-52ccab3ef572 | 间接依赖 | go |
| chalk | 4.1.2 | 间接依赖 | npm |
| follow-redirects | 1.15.2 | 间接依赖 | npm |
| github.com/tklauser/go-sysconf | v0.3.12 | 间接依赖 | go |
| highlight.js | 10.7.3 | 间接依赖 | npm |
| PyYAML | 6.0 | 间接依赖 | pip |
| frozenlist | 1.3.3 | 间接依赖 | pip |
| github.com/modern-go/reflect2 | v1.0.2 | 间接依赖 | go |
| mime-db | 1.52.0 | 间接依赖 | npm |
| once | 1.4.0 | 间接依赖 | npm |
| strip-ansi | 6.0.1 | 间接依赖 | npm |
| github.com/cespare/xxhash/v2 | v2.2.0 | 间接依赖 | go |
| safe-buffer | 5.2.1 | 间接依赖 | npm |
| github.com/tmc/langchaingo | v0.0.0-20231019140956-c636b3da7701 | 直接依赖 | go |
| aiosignal | 1.3.1 | 间接依赖 | pip |
| openapi-schema-pydantic | 1.2.4 | 间接依赖 | pip |
| wrap-ansi | 7.0.0 | 间接依赖 | npm |
| form-data | 4.0.0 | 间接依赖 | npm |
| @anthropic-ai/sdk | 0.4.3 | 间接依赖 | npm |
| github.com/mudler/go-processmanager | v0.0.0-20230818213616-f204007f963c | 直接依赖 | go |
| yarl | 1.9.2 | 间接依赖 | pip |
| github.com/klauspost/pgzip | v1.2.5 | 间接依赖 | go |
| yargs-parser | 21.1.1 | 间接依赖 | npm |
| yaml | 2.2.2 | 间接依赖 | npm |
| greenlet | 2.0.2 | 间接依赖 | pip |
| github.com/hashicorp/go-multierror | v1.1.1 | 直接依赖 | go |
| @types/retry | 0.12.0 | 间接依赖 | npm |
| uuid | 9.0.0 | 间接依赖 | npm |
| github.com/andybalholm/brotli | v1.0.5 | 间接依赖 | go |
| github.com/tklauser/numcpus | v0.6.1 | 间接依赖 | go |
| thenify | 3.3.1 | 间接依赖 | npm |
| expr-eval | 2.0.2 | 间接依赖 | npm |
| github.com/google/go-cmp | v0.6.0 | 间接依赖 | go |
| github.com/dsnet/compress | v0.0.2-0.20210315054119-f66993602bf5 | 间接依赖 | go |
| github.com/prometheus/client_model | v0.4.1-0.20230718164431-9a2bf3000d16 | 间接依赖 | go |
| SQLAlchemy | 2.0.12 | 间接依赖 | pip |
| zod-to-json-schema | 3.21.0 | 间接依赖 | npm |
| github.com/prometheus/client_golang | v1.17.0 | 直接依赖 | go |
| y18n | 5.0.8 | 间接依赖 | npm |
| github.com/hashicorp/errwrap | v1.0.0 | 间接依赖 | go |
| go.opentelemetry.io/otel/sdk/metric | v1.19.0 | 直接依赖 | go |
| GPTVectorStoreIndex | 间接依赖 | pip | |
| balanced-match | 1.0.2 | 间接依赖 | npm |
| debugpy | 1.6.7 | 间接依赖 | pip |
| ml-distance-euclidean | 2.0.0 | 间接依赖 | npm |
| object-assign | 4.1.1 | 间接依赖 | npm |
| langchain | 0.0.67 | 直接依赖 | npm |
| langchain | 0.0.159 | 间接依赖 | pip |
| github.com/valyala/bytebufferpool | v1.0.0 | 间接依赖 | go |
| charset-normalizer | 3.1.0 | 间接依赖 | pip |
| inherits | 2.0.4 | 间接依赖 | npm |
| github.com/shirou/gopsutil/v3 | v3.23.9 | 直接依赖 | go |
| github.com/power-devops/perfstat | v0.0.0-20210106213030-5aafc221ea8c | 间接依赖 | go |
| urllib3 | 1.26.15 | 间接依赖 | pip |
| numexpr | 2.8.4 | 间接依赖 | pip |
| github.com/go-skynet/go-ggml-transformers.cpp | v0.0.0-20230714203132-ffb09d7dd71e | 直接依赖 | go |
| ansi-regex | 5.0.1 | 间接依赖 | npm |
| @dqbd/tiktoken | 1.0.7 | 间接依赖 | npm |
| ServiceContext | 间接依赖 | pip | |
| github.com/mudler/go-stable-diffusion | v0.0.0-20230605122230-d89260f598af | 直接依赖 | go |
| streamlit | 1.26.0 | 间接依赖 | pip |
| github.com/valyala/fasthttp | v1.50.0 | 直接依赖 | go |
| requirements.txt | 间接依赖 | pip | |
| github.com/google/uuid | v1.3.1 | 直接依赖 | go |
| certifi | 2022.12.7 | 间接依赖 | pip |
| langchain | 0.0.234 | 间接依赖 | pip |
| @fortaine/fetch-event-source | 3.0.6 | 间接依赖 | npm |
| sha.js | 2.4.11 | 间接依赖 | npm |
| gopkg.in/tomb.v1 | v1.0.0-20141024135613-dd632973f1e7 | 间接依赖 | go |
| fs.realpath | 1.0.0 | 间接依赖 | npm |
| github.com/pierrec/lz4/v4 | v4.1.2 | 间接依赖 | go |
| github.com/go-skynet/bloomz.cpp | v0.0.0-20230529155654-1834e77b83fa | 直接依赖 | go |
| typescript | 5.0.4 | 直接依赖 | npm |
| google.golang.org/protobuf | v1.31.0 | 直接依赖 | go |
| github.com/ulikunitz/xz | v0.5.9 | 间接依赖 | go |
| github.com/valyala/tcplisten | v1.0.0 | 间接依赖 | go |
| ml-distance | 4.0.0 | 间接依赖 | npm |
| whatwg-url | 5.0.0 | 间接依赖 | npm |
| glob | 8.1.0 | 间接依赖 | npm |
| PromptTemplate | 间接依赖 | pip | |
| tr46 | 0.0.3 | 间接依赖 | npm |
| p-finally | 1.0.0 | 间接依赖 | npm |
| github.com/klauspost/compress | v1.16.7 | 间接依赖 | go |
| google.golang.org/genproto/googleapis/rpc | v0.0.0-20230822172742-b8732ec3820d | 间接依赖 | go |
| get-caller-file | 2.0.5 | 间接依赖 | npm |
| colorama | 0.4.6 | 间接依赖 | pip |
| langchain | 0.0.160 | 间接依赖 | pip |
| idna | 3.4 | 间接依赖 | pip |
| @sqltools/formatter | 1.2.5 | 间接依赖 | npm |
| github.com/cpuguy83/go-md2man/v2 | v2.0.2 | 间接依赖 | go |
| github.com/golang/protobuf | v1.5.3 | 间接依赖 | go |
| minimatch | 5.1.6 | 间接依赖 | npm |
| p-timeout | 3.2.0 | 间接依赖 | npm |
| typing_extensions | 4.5.0 | 间接依赖 | pip |
| @types/node | 18.16.4 | 直接依赖 | npm |
| github.com/mudler/go-ggllm.cpp | v0.0.0-20230709223052-862477d16eef | 直接依赖 | go |
| emoji-regex | 8.0.0 | 间接依赖 | npm |
| github.com/go-audio/audio | v1.0.0 | 间接依赖 | go |
| llama_hub | 0.0.41 | 间接依赖 | pip |
| golang.org/x/term | v0.13.0 | 间接依赖 | go |
| golang.org/x/sys | v0.13.0 | 间接依赖 | go |
| github.com/json-iterator/go | v1.1.12 | 直接依赖 | go |
| is-fullwidth-code-point | 3.0.0 | 间接依赖 | npm |
| github.com/prometheus/procfs | v0.11.1 | 间接依赖 | go |
| app-root-path | 3.1.0 | 间接依赖 | npm |
| github.com/yusufpapurcu/wmi | v1.2.3 | 间接依赖 | go |
| SimpleDirectoryReader | 间接依赖 | pip | |
| github.com/mitchellh/colorstring | v0.0.0-20190213212951-d06e56a500db | 间接依赖 | go |
| openai | 3.2.1 | 间接依赖 | npm |
| openai | 0.27.8 | 间接依赖 | pip |
| axios | 0.26.1 | 间接依赖 | npm |
| github.com/shoenig/go-m1cpu | v0.1.6 | 间接依赖 | go |
| gopkg.in/fsnotify.v1 | v1.4.7 | 间接依赖 | go |
| cli-highlight | 2.1.11 | 间接依赖 | npm |
| zod | 3.21.4 | 间接依赖 | npm |
| github.com/prometheus/common | v0.44.0 | 间接依赖 | go |
| go.opentelemetry.io/otel/sdk | v1.19.0 | 间接依赖 | go |
| github.com/mattn/go-isatty | v0.0.19 | 间接依赖 | go |
| parse5-htmlparser2-tree-adapter | 6.0.1 | 间接依赖 | npm |
| browser-or-node | 2.1.1 | 间接依赖 | npm |
| LLMPredictor | 间接依赖 | pip | |
| binary-search | 1.3.6 | 间接依赖 | npm |
| github.com/onsi/gomega | v1.28.1 | 直接依赖 | go |
| github.com/matttproud/golang_protobuf_extensions | v1.0.4 | 间接依赖 | go |
| parse5 | 5.1.1 | 间接依赖 | npm |
| github.com/hpcloud/tail | v1.0.0 | 直接依赖 | go |
| p-queue | 6.6.2 | 间接依赖 | npm |
| github.com/dlclark/regexp2 | v1.8.1 | 间接依赖 | go |
| eventemitter3 | 4.0.7 | 间接依赖 | npm |
| num-sort | 2.1.0 | 间接依赖 | npm |
| github.com/onsi/ginkgo/v2 | v2.13.0 | 直接依赖 | go |
| github.com/rs/zerolog | v1.31.0 | 直接依赖 | go |
| github.com/go-audio/wav | v1.1.0 | 直接依赖 | go |
| p-retry | 4.6.2 | 间接依赖 | npm |
| github.com/go-logr/logr | v1.2.4 | 间接依赖 | go |
| github.com/go-skynet/go-llama.cpp | v0.0.0-20231009155254-aeba71ee8428 | 直接依赖 | go |
| asynckit | 0.4.0 | 间接依赖 | npm |
| go.opentelemetry.io/otel | v1.19.0 | 直接依赖 | go |
| packaging | 23.1 | 间接依赖 | pip |
| github.com/xi2/xz | v0.0.0-20171230120015-48954b6210f8 | 间接依赖 | go |
| VectorStoreIndex | 间接依赖 | pip | |
| ml-array-sum | 1.1.6 | 间接依赖 | npm |
| webidl-conversions | 3.0.1 | 间接依赖 | npm |
| object-hash | 3.0.0 | 间接依赖 | npm |
| github.com/lufia/plan9stats | v0.0.0-20211012122336-39d0f177ccd0 | 间接依赖 | go |
| github.com/urfave/cli/v2 | v2.25.7 | 直接依赖 | go |
| mime-types | 2.1.35 | 间接依赖 | npm |
| mypy-extensions | 1.0.0 | 间接依赖 | pip |
| async-timeout | 4.0.2 | 间接依赖 | pip |
| supports-color | 7.2.0 | 间接依赖 | npm |
| numpy | 1.24.3 | 间接依赖 | pip |
| github.com/otiai10/openaigo | v1.6.0 | 直接依赖 | go |
| cliui | 8.0.1 | 间接依赖 | npm |
| chromadb | 0.3.21 | 间接依赖 | pip |
| langchain | 间接依赖 | pip | |
| github.com/nwaples/rardecode | v1.1.0 | 间接依赖 | go |
| pydantic | 1.10.7 | 间接依赖 | pip |
| delayed-stream | 1.0.0 | 间接依赖 | npm |
| dataclasses-json | 0.5.7 | 间接依赖 | pip |
| github.com/mudler/go-piper | v0.0.0-20230621222733-56b8a81b4760 | 直接依赖 | go |
| color-convert | 2.0.1 | 直接依赖 | npm |
| github.com/google/pprof | v0.0.0-20210407192527-94a9f03dee38 | 间接依赖 | go |
| ansi-styles | 5.2.0 | 间接依赖 | npm |
| llama-index | 0.6.2 | 间接依赖 | pip |
| golang.org/x/text | v0.13.0 | 间接依赖 | go |
| tqdm | 4.65.0 | 间接依赖 | pip |
| go.opentelemetry.io/otel/trace | v1.19.0 | 间接依赖 | go |
| gopkg.in/yaml.v3 | v3.0.1 | 直接依赖 | go |
| go.opentelemetry.io/otel/exporters/prometheus | v0.42.0 | 直接依赖 | go |
| weaviate_client | 3.25.1 | 间接依赖 | pip |
| binary-extensions | 2.2.0 | 间接依赖 | npm |
| google.golang.org/grpc | v1.59.0 | 直接依赖 | go |
| github.com/schollz/progressbar/v3 | v3.13.1 | 直接依赖 | go |
| github.com/pkoukk/tiktoken-go | v0.1.2 | 间接依赖 | go |
| github.com/rivo/uniseg | v0.2.0 | 间接依赖 | go |
| github.com/donomii/go-rwkv.cpp | v0.0.0-20230715075832-c898cd0f62df | 直接依赖 | go |
| github.com/nomic-ai/gpt4all/gpt4all-bindings/golang | v0.0.0-20231022042237-c25dc5193530 | 直接依赖 | go |
| github.com/ggerganov/whisper.cpp/bindings/go | v0.0.0-20230628193450-85ed71aaec8e | 直接依赖 | go |
| buffer | 6.0.3 | 间接依赖 | npm |
| reflect-metadata | 0.1.13 | 间接依赖 | npm |
| yargs | 17.7.2 | 间接依赖 | npm |
| node-fetch | 2.6.7 | 间接依赖 | npm |
| github.com/xrash/smetrics | v0.0.0-20201216005158-039620a65673 | 间接依赖 | go |
| typing-inspect | 0.8.0 | 间接依赖 | pip |
| multidict | 6.0.4 | 间接依赖 | pip |
| github.com/sashabaranov/go-openai | v1.16.0 | 直接依赖 | go |
| tslib | 2.5.0 | 间接依赖 | npm |
| wrappy | 1.0.2 | 间接依赖 | npm |
| mkdirp | 2.1.6 | 间接依赖 | npm |
| github.com/go-audio/riff | v1.0.0 | 间接依赖 | go |
| marshmallow-enum | 1.5.1 | 间接依赖 | pip |
| escalade | 3.1.1 | 间接依赖 | npm |
| github.com/go-logr/stdr | v1.2.2 | 间接依赖 | go |
| combined-stream | 1.0.8 | 间接依赖 | npm |
| requests | 2.29.0 | 间接依赖 | pip |
| flat | 5.0.2 | 间接依赖 | npm |
| tenacity | 8.2.2 | 间接依赖 | pip |
| github.com/phayes/freeport | v0.0.0-20220201140144-74d24b5ae9f5 | 直接依赖 | go |
| is-any-array | 2.0.1 | 间接依赖 | npm |
| github.com/gofiber/fiber/v2 | v2.50.0 | 直接依赖 | go |
| github.com/mattn/go-runewidth | v0.0.15 | 间接依赖 | go |
| aiohttp | 3.8.4 | 间接依赖 | pip |
| github.com/go-ole/go-ole | v1.2.6 | 间接依赖 | go |
| thenify-all | 1.6.0 | 间接依赖 | npm |
| brace-expansion | 2.0.1 | 间接依赖 | npm |
| golang.org/x/tools | v0.12.0 | 间接依赖 | go |
| golang.org/x/net | v0.17.0 | 间接依赖 | go |
| go.opentelemetry.io/otel/metric | v1.19.0 | 直接依赖 | go |
| github.com/golang/snappy | v0.0.2 | 间接依赖 | go |
| github.com/go-skynet/go-bert.cpp | v0.0.0-20230716133540-6abe312cded1 | 直接依赖 | go |
| attrs | 23.1.0 | 间接依赖 | pip |
| PromptHelper | 间接依赖 | pip | |
| any-promise | 1.3.0 | 间接依赖 | npm |
| color-name | 1.1.4 | 间接依赖 | npm |
| github.com/beorn7/perks | v1.0.1 | 间接依赖 | go |
| ms | 2.1.2 | 间接依赖 | npm |
| llama_index | 0.8.55 | 间接依赖 | pip |
| cross-fetch | 3.1.5 | 间接依赖 | npm |
| marshmallow | 3.19.0 | 间接依赖 | pip |
| jsonpointer | 5.0.1 | 间接依赖 | npm |
| github.com/russross/blackfriday/v2 | v2.1.0 | 间接依赖 | go |
| github.com/mholt/archiver/v3 | v3.5.1 | 直接依赖 | go |
| has-flag | 4.0.0 | 间接依赖 | npm |
| ieee754 | 1.2.1 | 间接依赖 | npm |
| github.com/mattn/go-colorable | v0.1.13 | 间接依赖 | go |
| mz | 2.7.0 | 间接依赖 | npm |
| ml-array-mean | 1.1.6 | 间接依赖 | npm |
| base64-js | 1.5.1 | 间接依赖 | npm |
| inflight | 1.0.6 | 间接依赖 | npm |
| ml-tree-similarity | 1.0.0 | 间接依赖 | npm |
| string-width | 4.2.3 | 间接依赖 | npm |
| openai | 0.27.6 | 间接依赖 | pip |
| LLMChain | 间接依赖 | pip | |
| require-directory | 2.1.1 | 间接依赖 | npm |
| debug | 4.3.4 | 间接依赖 | npm |
| github.com/modern-go/concurrent | v0.0.0-20180306012644-bacd9c7ef1dd | 间接依赖 | go |