CVE-2024-9309 CRITICAL

CVE-2024-9309: SSRF in POST /worker_generate_stream API endpoint in haotian-liu/llava

Vendor Haotian-Liu
Product haotian-liu/llava
Weakness CWE-918 · SSRF
Published March 20, 2025
Last update March 20, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in haotian-liu/llava version v1.2.0 (LLaVA-1.6). This vulnerability allows attackers to exploit the victim Controller API Server's credentials to perform unauthorized web actions or access unauthorized web resources.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated