Plattform
python
Komponente
fschat
Behoben in
0.2.37
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the lm-sys/fastchat web server, impacting versions up to 0.2.36. This flaw allows attackers to manipulate the server into making requests to unintended internal resources, potentially exposing sensitive data. The vulnerability stems from improper input validation within the web server's request handling logic. Addressing this vulnerability requires upgrading to a patched version of fastchat.
The SSRF vulnerability in fastchat allows an attacker to craft malicious requests that the server will execute on its behalf. A primary concern is the potential to access AWS metadata credentials if the server is deployed within an AWS environment. This could grant the attacker unauthorized access to AWS resources, including EC2 instances, S3 buckets, and other cloud services. Beyond AWS, the attacker could potentially access other internal services and databases that the server has access to, leading to data breaches and system compromise. The blast radius extends to any internal resources accessible by the fastchat server, making it a significant security risk.
This vulnerability is publicly known as of 2025-03-20. While no active exploitation campaigns have been definitively confirmed, the SSRF nature of the vulnerability makes it a high-probability target for automated scanning and exploitation. The potential for accessing AWS metadata credentials significantly elevates the risk. No KEV listing is currently available.
Organizations deploying fastchat within AWS environments are particularly at risk due to the potential for credential theft. Shared hosting environments where multiple users share the same server instance are also vulnerable, as an attacker could potentially exploit the vulnerability to access resources belonging to other users. Any deployment relying on fastchat for internal communication or data processing is potentially at risk.
• python / server:
# Check for vulnerable versions
python -c 'import fastchat; print(fastchat.__version__)'• generic web:
# Attempt to trigger SSRF by requesting an internal resource
curl http://<fastchat_server>/.well-known/server-status• generic web:
# Check response headers for unusual origins
curl -I http://<fastchat_server> | grep 'Origin:'disclosure
Exploit-Status
EPSS
0.12% (32% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-12376 is to upgrade to a patched version of fastchat. lm-sys should release a fix addressing the input validation issue. Until a patch is available, consider implementing a Web Application Firewall (WAF) to filter out malicious requests that attempt to exploit the SSRF vulnerability. Restrict network access to the fastchat server to only necessary ports and IP addresses. Regularly review and audit the server's configuration to ensure it adheres to security best practices. After upgrade, confirm by attempting a request to an internal resource and verifying that it is denied.
Actualice la biblioteca fastchat a la última versión disponible. Esto debería incluir la corrección para la vulnerabilidad SSRF. Consulte las notas de la versión o el registro de cambios para obtener más detalles sobre la corrección.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-12376 is a Server-Side Request Forgery (SSRF) vulnerability affecting lm-sys/fastchat versions up to 0.2.36, allowing attackers to access internal server resources.
If you are using fastchat version 0.2.36 or earlier, you are potentially affected by this SSRF vulnerability. Assess your deployment and upgrade as soon as possible.
The recommended fix is to upgrade to a patched version of fastchat. Monitor lm-sys's official channels for the release of a security update.
While no confirmed active exploitation campaigns are currently known, the SSRF nature of the vulnerability makes it a high-probability target for exploitation.
Refer to the lm-sys GitHub repository and their official communication channels for the latest security advisories and updates regarding CVE-2024-12376.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.