CVE-2024-10044

fastchat vulnerability - lm-sys

Critical CVSS Score: 9.3 Published: 2024-12-30

Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in lm-sys/fastchat, as of commit e208d5677c6837d590b81cb03847c0b9de100765. This vulnerability allows attackers to exploit the victim controller API server's credentials to perform unauthorized web actions or access unauthorized web resources by combining it with the POST /register_worker endpoint.

Affected Systems

Vendor	lm-sys
Product	fastchat
Affected Versions	2024-09-23
CWE ID	CWE-918

Mitigation

Apply the latest security patches from the vendor, restrict network exposure where applicable, and monitor for exploitation attempts.

Fix Instructions

Refer to the vendor advisory and apply the latest security updates. See references for detailed patching instructions.

References

https://huntr.com/bounties/44633540-377d-4ac4-b3a3-c2d0fa19d...

Risk Assessment

CVSS: 9.3/10

Exploit Available	Unknown
Patch Available	Unknown

Need Help Patching?

Our security team can help assess and remediate this vulnerability in your environment.

Get Help

Stay Ahead of Threats

Subscribe to our vulnerability feed and get instant alerts when new CVEs affect your systems.

Start Monitoring