Platform
python
Component
lm-sys/fastchat
A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in the Controller API Server of lm-sys/fastchat. This flaw allows attackers to leverage the server's credentials to access unauthorized web resources and perform actions, potentially leading to significant data exposure and system compromise. The vulnerability affects versions up to the latest release and was disclosed on December 30, 2024. Mitigation involves upgrading to a patched version of fastchat.
The SSRF vulnerability in fastchat's Controller API Server poses a severe risk. An attacker can exploit the combination of the /workergeneratestream and /register_worker endpoints to craft malicious requests. By manipulating these endpoints, they can trick the server into making requests to internal or external resources that it shouldn't have access to, effectively using the server as a proxy. This can lead to the exposure of sensitive data, unauthorized access to internal systems, and potentially even remote code execution if the targeted resources are vulnerable. The blast radius extends to any resources accessible by the Controller API Server, making this a high-impact vulnerability.
This vulnerability is actively being tracked and its severity is underscored by its CRITICAL CVSS score. Public proof-of-concept exploits are likely to emerge given the SSRF nature of the vulnerability. While no active campaigns have been publicly confirmed as of this writing, the ease of exploitation makes it a prime target for opportunistic attackers. The vulnerability was publicly disclosed on December 30, 2024.
Exploit Status
EPSS
0.16% (37% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-10044 is to upgrade to a patched version of fastchat as soon as it becomes available. Until a patch is applied, consider implementing temporary workarounds. Restrict network access to the Controller API Server to only necessary resources. Implement strict input validation on the /workergeneratestream and /register_worker endpoints to prevent malicious URL manipulation. Consider using a Web Application Firewall (WAF) to filter out suspicious requests. Monitor logs for unusual outbound traffic originating from the Controller API Server. After upgrading, confirm the vulnerability is resolved by attempting a controlled SSRF request and verifying it is blocked.
Update the lm-sys/fastchat library to a version later than e208d5677c6837d590b81cb03847c0b9de100765. This will fix the SSRF vulnerability in the /worker_generate_stream endpoint. See the release notes for more details on the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-10044 is a critical Server-Side Request Forgery (SSRF) vulnerability in the Controller API Server of lm-sys/fastchat, allowing attackers to exploit the server's credentials for unauthorized web actions.
If you are running lm-sys/fastchat with versions up to the latest release, you are potentially affected by this SSRF vulnerability.
The recommended fix is to upgrade to a patched version of fastchat as soon as it becomes available. Implement temporary workarounds like restricting network access and input validation until the patch is applied.
While no active campaigns have been publicly confirmed, the ease of exploitation makes it a likely target for attackers. Monitor your systems closely.
Refer to the lm-sys/fastchat repository and relevant security mailing lists for official advisories and updates regarding CVE-2024-10044.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.