Platform
python
Component
fschat
Fixed in
0.2.37
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the lm-sys/fastchat web server, impacting versions up to 0.2.36. This flaw allows attackers to manipulate the server into making requests to unintended internal resources, potentially exposing sensitive data. The vulnerability stems from improper input validation within the web server's request handling logic. Addressing this vulnerability requires upgrading to a patched version of fastchat.
The SSRF vulnerability in fastchat allows an attacker to craft malicious requests that the server will execute on its behalf. A primary concern is the potential to access AWS metadata credentials if the server is deployed within an AWS environment. This could grant the attacker unauthorized access to AWS resources, including EC2 instances, S3 buckets, and other cloud services. Beyond AWS, the attacker could potentially access other internal services and databases that the server has access to, leading to data breaches and system compromise. The blast radius extends to any internal resources accessible by the fastchat server, making it a significant security risk.
This vulnerability is publicly known as of 2025-03-20. While no active exploitation campaigns have been definitively confirmed, the SSRF nature of the vulnerability makes it a high-probability target for automated scanning and exploitation. The potential for accessing AWS metadata credentials significantly elevates the risk. No KEV listing is currently available.
Exploit Status
EPSS
0.12% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-12376 is to upgrade to a patched version of fastchat. lm-sys should release a fix addressing the input validation issue. Until a patch is available, consider implementing a Web Application Firewall (WAF) to filter out malicious requests that attempt to exploit the SSRF vulnerability. Restrict network access to the fastchat server to only necessary ports and IP addresses. Regularly review and audit the server's configuration to ensure it adheres to security best practices. After upgrade, confirm by attempting a request to an internal resource and verifying that it is denied.
Update the fastchat library to the latest available version. This should include the fix for the SSRF vulnerability. Refer to the release notes or changelog for more details about the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12376 is a Server-Side Request Forgery (SSRF) vulnerability affecting lm-sys/fastchat versions up to 0.2.36, allowing attackers to access internal server resources.
If you are using fastchat version 0.2.36 or earlier, you are potentially affected by this SSRF vulnerability. Assess your deployment and upgrade as soon as possible.
The recommended fix is to upgrade to a patched version of fastchat. Monitor lm-sys's official channels for the release of a security update.
While no confirmed active exploitation campaigns are currently known, the SSRF nature of the vulnerability makes it a high-probability target for exploitation.
Refer to the lm-sys GitHub repository and their official communication channels for the latest security advisories and updates regarding CVE-2024-12376.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.