CVE-2024-11449

HIGH

hliu/large_language_and_vision_assistant 1.2.0 - Server-Side Request Forgery via Path Parameter

Title source: manual

Description

A vulnerability in haotian-liu/llava version 1.2.0 (LLaVA-1.6) allows for Server-Side Request Forgery (SSRF) through the /run/predict endpoint. An attacker can gain unauthorized access to internal networks or the AWS metadata endpoint by sending crafted requests that exploit insufficient validation of the path parameter. This flaw can lead to unauthorized network access, sensitive data exposure, and further exploitation within the network.

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://huntr.com/bounties/e96aba28-d564-4ecb-ab77-350511d2e1ee

Scores

CVSS v3 7.5

EPSS 0.0065

EPSS Percentile 46.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (1)

hliu/large_language_and_vision_assistant 1.2.0

Published Mar 20, 2025

Tracked Since Feb 18, 2026