CVE-2024-12376 HIGH

CVE-2024-12376: Server Side Request Forgery in lm-sys/fastchat

Vendor Lm-Sys
Product lm-sys/fastchat
Weakness CWE-918 · SSRF
Published March 20, 2025
Last update March 20, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A Server-Side Request Forgery (SSRF) vulnerability was identified in the lm-sys/fastchat web server, specifically in the affected version git 2c68a13. This vulnerability allows an attacker to access internal server resources and data that are otherwise inaccessible, such as AWS metadata credentials.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated