CVE-2024-10044

SSRF in POST /worker_generate_stream API endpoint in lm-sys/fastchat

CVSS 9.3 CRITICALEPSS 0.5%CWE-918

Vexday Risk Score

28Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 9.3EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

30 dic 2024Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in lm-sys/fastchat, as of commit e208d5677c6837d590b81cb03847c0b9de100765. This vulnerability allows attackers to exploit the victim controller API server's credentials to perform unauthorized web actions or access unauthorized web resources by combining it with the POST /register_worker endpoint.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Productos afectados

lm-sys · lm-sys/fastchat

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://huntr.com/bounties/44633540-377d-4ac4-b3a3-c2d0fa19d0e6