LocalAI

v4.2.5 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 18d Model Serving & MLOps

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agents ai api audio-generation decentralized distributed

+12 more

image-generation libp2p llama llm mamba mcp musicgen object-detection rerank stable-diffusion text-generation tts

Affected surfaces

deps

Summary

AI summary

Fixed nil filter guard in Ollama gallery model listing and accepted float‑encoded integer options.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Close Hugging Face scan response body to prevent information leakage. Close Hugging Face scan response body to prevent information leakage. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Bump gomarkdown/markdown to mitigate GHSA-77fj-vx54-gvh7 vulnerability. Bump gomarkdown/markdown to mitigate GHSA-77fj-vx54-gvh7 vulnerability. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature
Feature	Medium	Expose 12 missing common_params via options[] for llama-cpp. Expose 12 missing common_params via options[] for llama-cpp. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Validate video image URLs before download. Validate video image URLs before download. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Update Swagger documentation for LocalAI. Update Swagger documentation for LocalAI. Source: llm_adapter@2026-05-21 Confidence: high	—
Dependency
Dependency	Medium	Bump ggml-org/llama.cpp to `7f3f843c31cd32dc4adc10b393342dfee071c332`. Bump ggml-org/llama.cpp to `7f3f843c31cd32dc4adc10b393342dfee071c332`. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Update antirez/ds4 to `04b6fda2be395094cbf2d20d921e7a705a4166ef`. Update antirez/ds4 to `04b6fda2be395094cbf2d20d921e7a705a4166ef`. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Update ggml-org/whisper.cpp to `46ca43d6399fdeada1b49fb2126ba373bd9ebc38`. Update ggml-org/whisper.cpp to `46ca43d6399fdeada1b49fb2126ba373bd9ebc38`. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Update ikawrakow/ik_llama.cpp to `0fcffdb64d21e57f0778f342415754156e01adfa`. Update ikawrakow/ik_llama.cpp to `0fcffdb64d21e57f0778f342415754156e01adfa`. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Update vllm-project/vllm cu130 wheel to `0.21.0`. Update vllm-project/vllm cu130 wheel to `0.21.0`. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Bump ikawrakow/ik_llama.cpp to `5cc0d86c760e9858e4bed4418400bb39dbe025f2`. Bump ikawrakow/ik_llama.cpp to `5cc0d86c760e9858e4bed4418400bb39dbe025f2`. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Update antirez/ds4 to `950e8e6474a1c9fabe04e669d607606a7ef8824f`. Update antirez/ds4 to `950e8e6474a1c9fabe04e669d607606a7ef8824f`. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Update ggml-org/whisper.cpp to `968eebe77225d25e57a3f981da7c696310f0e881`. Update ggml-org/whisper.cpp to `968eebe77225d25e57a3f981da7c696310f0e881`. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Bump ggml-org/llama.cpp to `1348f67c58f561808136e8a152a9eddec168f221`. Bump ggml-org/llama.cpp to `1348f67c58f561808136e8a152a9eddec168f221`. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	Guard nil filter in galleryop.ListModels fixes issue #9817. Guard nil filter in galleryop.ListModels fixes issue #9817. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Honor output_modalities to skip TTS in text-only mode for realtime streaming. Honor output_modalities to skip TTS in text-only mode for realtime streaming. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Accept float-encoded integer options in ollama, fixing issue #9837. Accept float-encoded integer options in ollama, fixing issue #9837. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Comply with OpenAI usage / stream_options spec for streaming. Comply with OpenAI usage / stream_options spec for streaming. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Validate archive member paths before extraction. Validate archive member paths before extraction. Source: llm_adapter@2026-05-21 Confidence: high	—
Other	Medium	Update LocalAI documentation version by @localai-bot. Update LocalAI documentation version by @localai-bot. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

What's Changed

Bug fixes :bug:

fix(ollama): guard nil filter in galleryop.ListModels (#9817) by @localai-bot in https://github.com/mudler/LocalAI/pull/9836
realtime: honor output_modalities to skip TTS in text-only mode by @localai-bot in https://github.com/mudler/LocalAI/pull/9838
fix(ollama): accept float-encoded integer options (fixes #9837) by @localai-bot in https://github.com/mudler/LocalAI/pull/9849

Other Changes

chore: :arrow_up: Update ggml-org/llama.cpp to 7f3f843c31cd32dc4adc10b393342dfee071c332 by @localai-bot in https://github.com/mudler/LocalAI/pull/9809
feat(llama-cpp): expose 12 missing common_params via options[] by @localai-bot in https://github.com/mudler/LocalAI/pull/9814
fix(streaming): comply with OpenAI usage / stream_options spec by @localai-bot in https://github.com/mudler/LocalAI/pull/9815
Close Hugging Face scan response body by @massy-o in https://github.com/mudler/LocalAI/pull/9818
Validate video image URLs before download by @massy-o in https://github.com/mudler/LocalAI/pull/9819
feat(swagger): update swagger by @localai-bot in https://github.com/mudler/LocalAI/pull/9824
chore: :arrow_up: Update antirez/ds4 to 04b6fda2be395094cbf2d20d921e7a705a4166ef by @localai-bot in https://github.com/mudler/LocalAI/pull/9830
chore: :arrow_up: Update ggml-org/whisper.cpp to 46ca43d6399fdeada1b49fb2126ba373bd9ebc38 by @localai-bot in https://github.com/mudler/LocalAI/pull/9829
chore: :arrow_up: Update ikawrakow/ik_llama.cpp to 0fcffdb64d21e57f0778f342415754156e01adfa by @localai-bot in https://github.com/mudler/LocalAI/pull/9828
docs: :arrow_up: update docs version mudler/LocalAI by @localai-bot in https://github.com/mudler/LocalAI/pull/9825
chore: :arrow_up: Update leejet/stable-diffusion.cpp to 0b8296915c4094090cff6bd2e09a5e98288c3c7d by @localai-bot in https://github.com/mudler/LocalAI/pull/9827
chore: :arrow_up: Update ggml-org/llama.cpp to 834a243664114487f99520370a7a7b00fc7a486f by @localai-bot in https://github.com/mudler/LocalAI/pull/9826
Validate archive member paths before extraction by @massy-o in https://github.com/mudler/LocalAI/pull/9820
fix(deps): bump gomarkdown/markdown for GHSA-77fj-vx54-gvh7 by @richiejp in https://github.com/mudler/LocalAI/pull/9841
chore: :arrow_up: Update vllm-project/vllm cu130 wheel to 0.21.0 by @localai-bot in https://github.com/mudler/LocalAI/pull/9846
chore: :arrow_up: Update ikawrakow/ik_llama.cpp to 5cc0d86c760e9858e4bed4418400bb39dbe025f2 by @localai-bot in https://github.com/mudler/LocalAI/pull/9845
chore: :arrow_up: Update antirez/ds4 to 950e8e6474a1c9fabe04e669d607606a7ef8824f by @localai-bot in https://github.com/mudler/LocalAI/pull/9844
chore: :arrow_up: Update ggml-org/whisper.cpp to 968eebe77225d25e57a3f981da7c696310f0e881 by @localai-bot in https://github.com/mudler/LocalAI/pull/9843
chore: :arrow_up: Update ggml-org/llama.cpp to 1348f67c58f561808136e8a152a9eddec168f221 by @localai-bot in https://github.com/mudler/LocalAI/pull/9842

New Contributors

@massy-o made their first contribution in https://github.com/mudler/LocalAI/pull/9818

Full Changelog: https://github.com/mudler/LocalAI/compare/v4.2.4...v4.2.5

Security Fixes

dep: GHSA-77fj-vx54-gvh7 — bump gomarkdown/markdown

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track LocalAI

Get notified when new releases ship.

About LocalAI

LocalAI is the open-source AI engine. Run any model - LLMs, vision, voice, image, video - on any hardware. No GPU required.

All releases →