CVE-2024-11603

HIGH7.5EPSS 0.25%

FastChat Server-Side Request Forgery vulnerability

Published: 3/20/2025Modified: 3/21/2025

Description

A Server-Side Request Forgery (SSRF) vulnerability exists in lm-sys/fastchat version 0.2.36. The vulnerability is present in the `/queue/join?` endpoint, where insufficient validation of the path parameter allows an attacker to send crafted requests. This can lead to unauthorized access to internal networks or the AWS metadata endpoint, potentially exposing sensitive data and compromising internal servers.

Affected packages (1)

PyPI/fschatfrom 0, <= 0.2.36

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-11603
PATCHhttps://github.com/lm-sys/FastChat
WEBhttps://huntr.com/bounties/89f1158d-4a75-4000-a1bd-f82dd1a62bff