CVE-2024-11603

HIGH7.5EPSS 0.25%

FastChat Server-Side Request Forgery vulnerability

發布日:2025/3/20修改日:2025/3/21

描述

A Server-Side Request Forgery (SSRF) vulnerability exists in lm-sys/fastchat version 0.2.36. The vulnerability is present in the `/queue/join?` endpoint, where insufficient validation of the path parameter allows an attacker to send crafted requests. This can lead to unauthorized access to internal networks or the AWS metadata endpoint, potentially exposing sensitive data and compromising internal servers.

受影響套件(1)

PyPI/fschatfrom 0, <= 0.2.36

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-11603
PATCHhttps://github.com/lm-sys/FastChat
WEBhttps://huntr.com/bounties/89f1158d-4a75-4000-a1bd-f82dd1a62bff