Server-Side Request Forgery Flaw in lm-sys/fastchat Controller API
CVE-2024-10044

Currently unrated

Key Information:

Vendor: Lm-sys
Status: Lm-sys/fastchat
Vendor: CVE Published:; 30 December 2024

Summary

A critical Server-Side Request Forgery (SSRF) vulnerability is present in the POST /worker_generate_stream API endpoint of the Controller API Server in lm-sys/fastchat. This flaw enables attackers to exploit the controller API server's credentials, facilitating unauthorized actions and access to protected web resources. By leveraging this vulnerability alongside the POST /register_worker endpoint, attackers can perform unauthorized web requests that may lead to further security breaches.

Affected Version(s)

lm-sys/fastchat <= unspecified

References

https://huntr.com/bounties/44633540-377d-4ac4-b3a3-c2d0fa...

Timeline

Vulnerability published
Dec 30, 2024
Vulnerability Reserved
Oct 16, 2024