Plattform
python
Komponente
haotian-liu/llava
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the LLaVA project (haotian-liu/llava), affecting versions up to the latest commit (c121f04). This flaw allows a malicious actor to trick the server into making HTTP requests to arbitrary URLs. The potential impact includes unauthorized access to sensitive data accessible only from the server's network, such as AWS metadata credentials.
The SSRF vulnerability in LLaVA presents a significant risk because it enables attackers to bypass network security controls and access internal resources. An attacker could leverage this vulnerability to retrieve sensitive information like AWS credentials, internal API keys, or other confidential data stored within the server's environment. Successful exploitation could lead to data breaches, unauthorized access to cloud infrastructure, and potential compromise of the entire system. The ability to make arbitrary HTTP requests effectively grants the attacker a window into the server's internal network, allowing for reconnaissance and further exploitation.
This vulnerability is publicly known and documented. While no active exploitation campaigns have been definitively linked to CVE-2024-12068 at the time of writing, the SSRF nature of the vulnerability makes it a potential target for opportunistic attackers. The vulnerability was disclosed on 2025-03-20. The ease of exploitation, combined with the potential for significant impact, warrants careful attention and prompt mitigation.
Organizations deploying LLaVA in cloud environments, particularly those utilizing AWS, are at heightened risk. Shared hosting environments where LLaVA is running alongside other applications are also vulnerable, as a successful SSRF attack could potentially compromise other tenants on the same server. Any deployment lacking robust outbound network controls is susceptible.
• python / server:
import requests
import os
def check_llava_ssrf(url):
try:
response = requests.get(url, timeout=5, verify=False)
print(f"URL {url} returned status code: {response.status_code}")
return True
except requests.exceptions.RequestException as e:
print(f"Error accessing {url}: {e}")
return False
# Example usage (replace with your target URL)
target_url = os.environ.get('TARGET_URL', 'http://localhost:8000/api/some_endpoint')
check_llava_ssrf(target_url)• generic web:
curl -v http://your-llava-instance/api/some_endpoint > /dev/null 2>&1 | grep -i 'Internal Server Error'disclosure
Exploit-Status
EPSS
0.12% (32% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-12068 is to upgrade to a patched version of LLaVA as soon as it becomes available. Until a patch is released, implement strict outbound network access controls to limit the server's ability to make external HTTP requests. This can be achieved through firewall rules, proxy configurations, or network segmentation. Consider using a Web Application Firewall (WAF) to filter outbound requests and block those targeting potentially sensitive endpoints. Regularly review and audit network configurations to ensure they adhere to security best practices.
Aktualisieren Sie die llava-Bibliothek auf die neueste verfügbare Version. Überprüfen Sie die Versionshinweise, um sicherzustellen, dass die SSRF-Schwachstelle behoben wurde. Wenn keine behobene Version verfügbar ist, implementieren Sie zusätzliche Sicherheitsmaßnahmen, wie z. B. die Validierung und Filterung von URLs, die vom Benutzer bereitgestellt werden, um das SSRF-Risiko zu mindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-12068 is a Server-Side Request Forgery vulnerability in the LLaVA project allowing attackers to make HTTP requests to arbitrary URLs, potentially accessing sensitive data.
If you are using LLaVA versions up to the latest commit (c121f04) and have not implemented outbound network access controls, you are potentially affected by this vulnerability.
The recommended fix is to upgrade to a patched version of LLaVA as soon as it becomes available. Until then, implement strict outbound network access controls.
While no active exploitation campaigns have been definitively linked to CVE-2024-12068, the SSRF nature of the vulnerability makes it a potential target for opportunistic attackers.
Refer to the LLaVA project's official repository and communication channels for updates and advisories regarding CVE-2024-12068.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.