Server-Side Request Forgery Vulnerability in parisneo/lollms-webui
CVE-2024-12766

7.5HIGH

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms-webui
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-12766?

The parisneo/lollms-webui version V13 (feather) contains a Server-Side Request Forgery (SSRF) vulnerability in the POST /api/proxy REST API endpoint. This vulnerability allows attackers to leverage the server’s own credentials, enabling unauthorized access to internal web resources by manipulating the JSON parameter, such as {"url":"http://steal.target"}. Notably, existing protective measures, including forbid_remote_access(lollmsElfServer), lollmsElfServer.config.headless_server_mode, and check_access(lollmsElfServer, request.client_id), do not mitigate this issue, highlighting a critical need for improved security protocols within the application.

Affected Version(s)

parisneo/lollms-webui <= unspecified

References

https://huntr.com/bounties/a143a2e2-1293-4dec-b875-331258...

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Dec 18, 2024

JSON

Parisneo

What is CVE-2024-12766?

Affected Version(s)

References

CVSS V3.0

Timeline