Plattform
python
Komponente
lm-sys/fastchat
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Controller API Server of lm-sys/fastchat. This flaw allows attackers to leverage the server's credentials to initiate unauthorized web requests and access restricted resources. The vulnerability affects versions up to the latest release and was disclosed on December 30, 2024. Mitigation strategies include restricting network access and validating user input.
The SSRF vulnerability in fastchat's Controller API Server poses a significant risk. An attacker can exploit this by combining the /workergeneratestream endpoint with the /register_worker endpoint to craft malicious requests. This allows them to bypass security controls and potentially access internal resources, sensitive data, or even trigger actions on other systems the controller has access to. The impact could range from data exfiltration to complete system compromise, depending on the permissions associated with the controller’s credentials. This vulnerability shares similarities with other SSRF exploits where attackers leverage internal network access to gain unauthorized access.
CVE-2024-10044 was publicly disclosed on December 30, 2024. The vulnerability is considered high probability due to the ease of exploitation and the potential impact. No public proof-of-concept (PoC) code has been released at the time of this writing, but the vulnerability's nature suggests that a PoC is likely to emerge. Monitor CISA and NVD for updates and potential KEV listing.
Organizations deploying lm-sys/fastchat for large language model serving, particularly those with exposed Controller API Servers, are at significant risk. This includes research labs, AI development teams, and any environment where fastchat is used to manage and orchestrate language models. Shared hosting environments where multiple users share the same fastchat instance are also particularly vulnerable.
• python / server: Monitor outbound network traffic from the fastchat Controller API Server for unexpected destinations. Use tools like tcpdump or Wireshark to capture and analyze traffic.
tcpdump -i any -n port 80 or port 443 | grep -i 'example.com'• python / server: Examine fastchat logs for unusual requests to the /workergeneratestream and /register_worker endpoints. Look for requests with malformed URLs or unexpected parameters.
# Example log analysis (replace with your actual log parsing)
import re
with open('fastchat.log', 'r') as f:
for line in f:
if re.search(r'/worker_generate_stream.*(http://|https://)', line):
print(line)• generic web: Check for unusual outbound connections from the fastchat server using ss or netstat.
ss -t -a | grep fastchatdisclosure
patch
Exploit-Status
EPSS
0.16% (37% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-10044 is to upgrade to a patched version of fastchat as soon as it becomes available. Until a patch is applied, implement strict network access controls to limit the controller's outbound connections. This can be achieved through firewalls or network segmentation. Additionally, thoroughly validate all user-supplied input to prevent attackers from injecting malicious URLs. Consider implementing a Web Application Firewall (WAF) with SSRF protection rules to block suspicious requests. Monitor logs for unusual outbound connections originating from the controller server.
Aktualisieren Sie die lm-sys/fastchat Bibliothek auf eine Version nach e208d5677c6837d590b81cb03847c0b9de100765. Dies behebt die SSRF Vulnerabilität im /worker_generate_stream Endpoint. Weitere Details zur Aktualisierung finden Sie in den Versionshinweisen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-10044 is a critical Server-Side Request Forgery (SSRF) vulnerability in the Controller API Server of lm-sys/fastchat, allowing attackers to exploit the server's credentials for unauthorized web actions.
If you are running lm-sys/fastchat with versions up to the latest release, you are potentially affected by this SSRF vulnerability.
The recommended fix is to upgrade to a patched version of fastchat as soon as it becomes available. Implement temporary workarounds like restricting network access and input validation until the patch is applied.
While no active campaigns have been publicly confirmed, the ease of exploitation makes it a likely target for attackers. Monitor your systems closely.
Refer to the lm-sys/fastchat repository and relevant security mailing lists for official advisories and updates regarding CVE-2024-10044.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.